Bug 224729 - www/otrs: Update to 5.0.26 (security)
Summary: www/otrs: Update to 5.0.26 (security)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Danilo G. Baio
URL:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2017-12-30 14:19 UTC by Vidar Karlsen
Modified: 2018-01-02 23:35 UTC (History)
2 users (show)

See Also:
m.tsatsenko: maintainer-feedback+
dbaio: merge-quarterly+


Attachments
Proposed patch (1.90 KB, patch)
2017-12-30 14:19 UTC, Vidar Karlsen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Vidar Karlsen 2017-12-30 14:19:16 UTC
Created attachment 189220 [details]
Proposed patch

OTRS 5.0.23 is vulnerable, as described in CVE-2017-16921: 
https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/
https://nvd.nist.gov/vuln/detail/CVE-2017-16921

Privilege Escalation: An attacker who is logged into OTRS as an agent can manipulate form parameters and execute arbitrary shell commands with the permissions of the OTRS or web server user.


The attached patch will update to 5.0.26.

portlint -C: looks fine

poudriere testport ok on:
10.3-RELEASE amd64
10.3-RELEASE i386
10.4-RELEASE amd64
10.4-RELEASE i386
11.1-RELEASE amd64
11.1-RELEASE i386
Comment 1 commit-hook freebsd_committer 2017-12-30 16:42:01 UTC
A commit references this bug:

Author: dbaio
Date: Sat Dec 30 16:41:20 UTC 2017
New revision: 457604
URL: https://svnweb.freebsd.org/changeset/ports/457604

Log:
  security/vuxml: Document vulnerabilities in www/otrs

  Security:	CVE-2017-16664
  Security:	CVE-2017-16854
  Security:	CVE-2017-16921

  PR:		224729
  Reported by:	Vidar Karlsen <vidar@karlsen.tech>

Changes:
  head/security/vuxml/vuln.xml
Comment 2 m.tsatsenko 2017-12-30 21:11:46 UTC
Comment on attachment 189220 [details]
Proposed patch

Approved, 
Thanks!
Comment 3 commit-hook freebsd_committer 2017-12-30 22:25:12 UTC
A commit references this bug:

Author: dbaio
Date: Sat Dec 30 22:24:37 UTC 2017
New revision: 457648
URL: https://svnweb.freebsd.org/changeset/ports/457648

Log:
  www/otrs: Update to 5.0.26, Fixes multiple security vulnerabilities

  Changes:	https://www.otrs.com/release-notes-otrs-5s-patch-level-24/
  		https://www.otrs.com/release-notes-otrs-5s-patch-level-25/
  		https://www.otrs.com/release-notes-otrs-5s-patch-level-26/

  PR:		224729
  Submitted by:	Vidar Karlsen <vidar@karlsen.tech>
  Approved by:	Mikhail Tsatsenko <m.tsatsenko@gmail.com> (maintainer)
  MFH:		2017Q4
  Security:	cebd05d6-ed7b-11e7-95f2-005056925db4

Changes:
  head/www/otrs/Makefile
  head/www/otrs/distinfo
  head/www/otrs/pkg-plist
Comment 4 commit-hook freebsd_committer 2018-01-02 23:32:32 UTC
A commit references this bug:

Author: dbaio
Date: Tue Jan  2 23:31:57 UTC 2018
New revision: 457936
URL: https://svnweb.freebsd.org/changeset/ports/457936

Log:
  MFH: r451469 r457648

  www/otrs: Update to 5.0.23

   - Update to 5.0.23
   - Add missing deps [1]
   - Fix plist
   - Convert to options framework

  PR:		222410, 221002 [1]
  Approved by:	m.tsatsenko@gmail.com (maintainer)

  www/otrs: Update to 5.0.26, Fixes multiple security vulnerabilities

  Changes:	https://www.otrs.com/release-notes-otrs-5s-patch-level-24/
  		https://www.otrs.com/release-notes-otrs-5s-patch-level-25/
  		https://www.otrs.com/release-notes-otrs-5s-patch-level-26/

  PR:		224729
  Submitted by:	Vidar Karlsen <vidar@karlsen.tech>
  Approved by:	Mikhail Tsatsenko <m.tsatsenko@gmail.com> (maintainer)
  Security:	cebd05d6-ed7b-11e7-95f2-005056925db4

  Approved by:	ports-secteam (zi)

Changes:
_U  branches/2017Q4/
  branches/2017Q4/www/otrs/Makefile
  branches/2017Q4/www/otrs/distinfo
  branches/2017Q4/www/otrs/pkg-plist
Comment 5 Danilo G. Baio freebsd_committer 2018-01-02 23:35:15 UTC
Committed, thanks!