[Secure-testing-commits] r57851 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Mon Nov 20 14:28:02 UTC 2017
Author: carnil
Date: 2017-11-20 14:28:02 +0000 (Mon, 20 Nov 2017)
New Revision: 57851
Modified:
data/CVE/list
Log:
Add status for CVE-2017-15864/otrs2
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-11-20 13:40:41 UTC (rev 57850)
+++ data/CVE/list 2017-11-20 14:28:02 UTC (rev 57851)
@@ -3220,9 +3220,13 @@
CVE-2017-15865 (bgpd in FRRouting (FRR) before 2.0.2 and 3.x before 3.0.2, as used in ...)
- frr <itp> (bug #863249)
CVE-2017-15864 (In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x ...)
- - otrs2 <undetermined>
+ - otrs2 4.0.7-2
NOTE: https://www.otrs.com/security-advisory-2017-06-security-update-otrs-3-3/
- TODO: check, upstream claims affects only 3.3.x series, contacted OTRS security team
+ NOTE: https://github.com/OTRS/otrs/compare/3bc58ebeb9bdbe8107251a03cf7b9b8cfc515f53...80a0a9a138278d63a2621d146eb3c29e982aa2d5
+ NOTE: Root cause for the issue is the recursive parsing handling in the old
+ NOTE: DTL template engine that OTRS used up to OTRS 3.3. Starting with OTRS 4
+ NOTE: OTRS switched to a new Template::Toolkit based engine which does not perform
+ NOTE: recursive parsing and not affected by this issue.
CVE-2016-10517 (networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" ...)
{DLA-1161-1}
- redis 3:3.2.7-1
More information about the Secure-testing-commits
mailing list