Bug 224729

Summary:

www/otrs: Update to 5.0.26 (security)

Product:

Ports & Packages

Reporter:

Vidar Karlsen <vidar>

Component:

Individual Port(s)

Assignee:

Danilo G. Baio <dbaio>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

dbaio, m.tsatsenko

Priority:

---

Keywords:

patch, security

Version:

Latest

Flags:

m.tsatsenko: maintainer-feedback+
dbaio: merge-quarterly+

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
Proposed patch	none

Description Vidar Karlsen 2017-12-30 14:19:16 UTC

Created attachment 189220 [details]
Proposed patch

OTRS 5.0.23 is vulnerable, as described in CVE-2017-16921: 
https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/
https://nvd.nist.gov/vuln/detail/CVE-2017-16921

Privilege Escalation: An attacker who is logged into OTRS as an agent can manipulate form parameters and execute arbitrary shell commands with the permissions of the OTRS or web server user.


The attached patch will update to 5.0.26.

portlint -C: looks fine

poudriere testport ok on:
10.3-RELEASE amd64
10.3-RELEASE i386
10.4-RELEASE amd64
10.4-RELEASE i386
11.1-RELEASE amd64
11.1-RELEASE i386

Comment 1 commit-hook freebsd_committer

2017-12-30 16:42:01 UTC

A commit references this bug:

Author: dbaio
Date: Sat Dec 30 16:41:20 UTC 2017
New revision: 457604
URL: https://svnweb.freebsd.org/changeset/ports/457604

Log:
  security/vuxml: Document vulnerabilities in www/otrs

  Security:	CVE-2017-16664
  Security:	CVE-2017-16854
  Security:	CVE-2017-16921

  PR:		224729
  Reported by:	Vidar Karlsen <vidar@karlsen.tech>

Changes:
  head/security/vuxml/vuln.xml

Comment 2 m.tsatsenko 2017-12-30 21:11:46 UTC

Comment on attachment 189220 [details]
Proposed patch

Approved, 
Thanks!

Comment 3 commit-hook freebsd_committer

2017-12-30 22:25:12 UTC

A commit references this bug:

Author: dbaio
Date: Sat Dec 30 22:24:37 UTC 2017
New revision: 457648
URL: https://svnweb.freebsd.org/changeset/ports/457648

Log:
  www/otrs: Update to 5.0.26, Fixes multiple security vulnerabilities

  Changes:	https://www.otrs.com/release-notes-otrs-5s-patch-level-24/
  		https://www.otrs.com/release-notes-otrs-5s-patch-level-25/
  		https://www.otrs.com/release-notes-otrs-5s-patch-level-26/

  PR:		224729
  Submitted by:	Vidar Karlsen <vidar@karlsen.tech>
  Approved by:	Mikhail Tsatsenko <m.tsatsenko@gmail.com> (maintainer)
  MFH:		2017Q4
  Security:	cebd05d6-ed7b-11e7-95f2-005056925db4

Changes:
  head/www/otrs/Makefile
  head/www/otrs/distinfo
  head/www/otrs/pkg-plist

Comment 4 commit-hook freebsd_committer

2018-01-02 23:32:32 UTC

A commit references this bug:

Author: dbaio
Date: Tue Jan  2 23:31:57 UTC 2018
New revision: 457936
URL: https://svnweb.freebsd.org/changeset/ports/457936

Log:
  MFH: r451469 r457648

  www/otrs: Update to 5.0.23

   - Update to 5.0.23
   - Add missing deps [1]
   - Fix plist
   - Convert to options framework

  PR:		222410, 221002 [1]
  Approved by:	m.tsatsenko@gmail.com (maintainer)

  www/otrs: Update to 5.0.26, Fixes multiple security vulnerabilities

  Changes:	https://www.otrs.com/release-notes-otrs-5s-patch-level-24/
  		https://www.otrs.com/release-notes-otrs-5s-patch-level-25/
  		https://www.otrs.com/release-notes-otrs-5s-patch-level-26/

  PR:		224729
  Submitted by:	Vidar Karlsen <vidar@karlsen.tech>
  Approved by:	Mikhail Tsatsenko <m.tsatsenko@gmail.com> (maintainer)
  Security:	cebd05d6-ed7b-11e7-95f2-005056925db4

  Approved by:	ports-secteam (zi)

Changes:
_U  branches/2017Q4/
  branches/2017Q4/www/otrs/Makefile
  branches/2017Q4/www/otrs/distinfo
  branches/2017Q4/www/otrs/pkg-plist

Comment 5 Danilo G. Baio freebsd_committer

2018-01-02 23:35:15 UTC

Committed, thanks!