[Secure-testing-commits] r52359 - in data: . CVE

[Ola Lundqvist]

Author: opal
Date: 2017-06-06 20:14:52 +0000 (Tue, 06 Jun 2017)
New Revision: 52359

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Found otrs2 to be vulnerable to something. However it is not fully clear what the problem is.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-06-06 18:57:17 UTC (rev 52358)
+++ data/CVE/list	2017-06-06 20:14:52 UTC (rev 52359)
@@ -362,6 +362,19 @@
 	RESERVED
 	- otrs2 <unfixed>
 	NOTE: https://www.otrs.com/security-advisory-2017-03-security-update-otrs-versions/
+	NOTE: The security advisory is not very specific about the problem.
+	NOTE: From the CHANGES.md file in 3.3.17 it is likely to be this problem
+	NOTE: that have been dealt with:
+	NOTE: 2017-05-31 Improved SecureMode detection in Installer.
+	NOTE: Suspected file changes in 3.3.17 are the following:
+	NOTE: bin/otrs.PackageManager.pl (good change but unknown security impact)
+	NOTE: bin/otrs.SetPermissions.pl (looks like a security improvement at least)
+	NOTE: bin/otrs.CheckModules.pl (probably not security related)
+	NOTE: Kernel/Modules/Installer.pm (this is clearly a security fault!!!)
+	NOTE: Kernel/Config/Files/Framework.xml (may be a security issue)
+	NOTE: Kernel/System/SupportDataCollector.pm (may be a security issue)
+	NOTE: It is clear that the package is vulnerable to something. Further
+	NOTE: investigation is needed to pinpoint the exact vulnerability.
 CVE-2017-9323
 	RESERVED
 CVE-2017-9322

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt	2017-06-06 18:57:17 UTC (rev 52358)
+++ data/dla-needed.txt	2017-06-06 20:14:52 UTC (rev 52359)
@@ -79,6 +79,8 @@
 mysql-workbench
   NOTE: maintainer contacted 20170429
 --
+otrs2
+--
 postgresql-9.1 (Christoph Berg)
   NOTE: maintainer will give it a try tomorrow (2017-05-28)
 --