[Secure-testing-commits] r57851 - data/CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Mon Nov 20 14:28:02 UTC 2017


Author: carnil
Date: 2017-11-20 14:28:02 +0000 (Mon, 20 Nov 2017)
New Revision: 57851

Modified:
   data/CVE/list
Log:
Add status for CVE-2017-15864/otrs2

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-11-20 13:40:41 UTC (rev 57850)
+++ data/CVE/list	2017-11-20 14:28:02 UTC (rev 57851)
@@ -3220,9 +3220,13 @@
 CVE-2017-15865 (bgpd in FRRouting (FRR) before 2.0.2 and 3.x before 3.0.2, as used in ...)
 	- frr <itp> (bug #863249)
 CVE-2017-15864 (In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x ...)
-	- otrs2 <undetermined>
+	- otrs2 4.0.7-2
 	NOTE: https://www.otrs.com/security-advisory-2017-06-security-update-otrs-3-3/
-	TODO: check, upstream claims affects only 3.3.x series, contacted OTRS security team
+	NOTE: https://github.com/OTRS/otrs/compare/3bc58ebeb9bdbe8107251a03cf7b9b8cfc515f53...80a0a9a138278d63a2621d146eb3c29e982aa2d5
+	NOTE: Root cause for the issue is the recursive parsing handling in the old
+	NOTE: DTL template engine that OTRS used up to OTRS 3.3. Starting with OTRS 4
+	NOTE: OTRS switched to a new Template::Toolkit based engine which does not perform
+	NOTE: recursive parsing and not affected by this issue.
 CVE-2016-10517 (networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" ...)
 	{DLA-1161-1}
 	- redis 3:3.2.7-1




More information about the Secure-testing-commits mailing list