Page MenuHomePhabricator
Create Task
Maniphest T182072

Upgrade OTRS to 5.0.25 or apply security patch manually
Closed, ResolvedPublic
Actions

Description

From https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/, released today:

An attacker who is logged into OTRS as an agent can manipulate form parameters and execute arbitrary shell commands with the permissions of the OTRS or web server user.

Fixed in OTRS 5.0.25: https://www.otrs.com/release-notes-otrs-5s-patch-level-25/

Event Timeline

pajz created this task.Dec 5 2017, 10:52 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 5 2017, 10:52 AM
pajz updated the task description. (Show Details)Dec 5 2017, 10:58 AM
pajz added a subscriber: akosiaris.Dec 5 2017, 11:02 AM
Krenair set Security to Software security bug.Dec 5 2017, 11:37 PM
Krenair changed the visibility from "Public (No Login Required)" to "Custom Policy".
Krenair subscribed.
akosiaris added a comment.Dec 6 2017, 12:18 PM

Both patches manually applied. So we should now be safe from both advisory 17-8 and 17-9.

I 'd like to schedule an emergency upgrade. My earliest tentative date is Monday Dec 11 on 11:00 UTC

dpatrick moved this task from Backlog / Other to Operational issues on the acl*security board.Dec 6 2017, 6:30 PM
akosiaris closed this task as Resolved.Dec 13 2017, 10:08 AM
akosiaris claimed this task.

5.0.25 has been successfully installed. This did not happen on the tentative scheduled date, but rather just now, sorry about that.

akosiaris removed a project: acl*security.Dec 13 2017, 10:09 AM
akosiaris changed the visibility from "Custom Policy" to "Public (No Login Required)".
Restricted Application added a project: acl*security. · View Herald TranscriptDec 13 2017, 10:09 AM
akosiaris merged a task: Restricted Task.Feb 22 2018, 10:49 AM
akosiaris added subscribers: OldUser02, MoritzMuehlenhoff.
chasemp added a project: Security.Feb 10 2020, 10:52 PM
Restricted Application added a subscriber: Krd. · View Herald TranscriptFeb 10 2020, 10:52 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:13 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL