[Secure-testing-commits] r52359 - in data: . CVE
Ola Lundqvist
opal at moszumanska.debian.org
Tue Jun 6 20:14:52 UTC 2017
Author: opal
Date: 2017-06-06 20:14:52 +0000 (Tue, 06 Jun 2017)
New Revision: 52359
Modified:
data/CVE/list
data/dla-needed.txt
Log:
Found otrs2 to be vulnerable to something. However it is not fully clear what the problem is.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-06-06 18:57:17 UTC (rev 52358)
+++ data/CVE/list 2017-06-06 20:14:52 UTC (rev 52359)
@@ -362,6 +362,19 @@
RESERVED
- otrs2 <unfixed>
NOTE: https://www.otrs.com/security-advisory-2017-03-security-update-otrs-versions/
+ NOTE: The security advisory is not very specific about the problem.
+ NOTE: From the CHANGES.md file in 3.3.17 it is likely to be this problem
+ NOTE: that have been dealt with:
+ NOTE: 2017-05-31 Improved SecureMode detection in Installer.
+ NOTE: Suspected file changes in 3.3.17 are the following:
+ NOTE: bin/otrs.PackageManager.pl (good change but unknown security impact)
+ NOTE: bin/otrs.SetPermissions.pl (looks like a security improvement at least)
+ NOTE: bin/otrs.CheckModules.pl (probably not security related)
+ NOTE: Kernel/Modules/Installer.pm (this is clearly a security fault!!!)
+ NOTE: Kernel/Config/Files/Framework.xml (may be a security issue)
+ NOTE: Kernel/System/SupportDataCollector.pm (may be a security issue)
+ NOTE: It is clear that the package is vulnerable to something. Further
+ NOTE: investigation is needed to pinpoint the exact vulnerability.
CVE-2017-9323
RESERVED
CVE-2017-9322
Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt 2017-06-06 18:57:17 UTC (rev 52358)
+++ data/dla-needed.txt 2017-06-06 20:14:52 UTC (rev 52359)
@@ -79,6 +79,8 @@
mysql-workbench
NOTE: maintainer contacted 20170429
--
+otrs2
+--
postgresql-9.1 (Christoph Berg)
NOTE: maintainer will give it a try tomorrow (2017-05-28)
--
More information about the Secure-testing-commits
mailing list