Security update for otrs SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:3054-1 Final 1 1 2017-11-23T11:30:40Z current 2017-11-23T11:30:40Z 2017-11-23T11:30:40Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for otrs This update for otrs fixes the following security issues: - CVE-2017-15864: Remote authenticated attackers could have caused otrs to disclose configuration information, including database credentials (boo#1068677, OSA-2017-06) - CVE-2017-16664: Remote authenticated attackers could have caused the execution of shell commands with the permission of the web server user (boo#1069391, OSA-2017-07) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-11/msg00031.html E-Mail link for openSUSE-SU-2017:3054-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 otrs-3.3.20-14.1 otrs-doc-3.3.20-14.1 otrs-itsm-3.3.14-14.1 otrs-3.3.20-14.1 as a component of openSUSE Leap 42.2 otrs-doc-3.3.20-14.1 as a component of openSUSE Leap 42.2 otrs-itsm-3.3.14-14.1 as a component of openSUSE Leap 42.2 otrs-3.3.20-14.1 as a component of openSUSE Leap 42.3 otrs-doc-3.3.20-14.1 as a component of openSUSE Leap 42.3 otrs-itsm-3.3.14-14.1 as a component of openSUSE Leap 42.3 In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x through 3.3.18, with a crafted URL it is possible to gain information like database user and password. CVE-2017-15864 openSUSE Leap 42.2:otrs-3.3.20-14.1 openSUSE Leap 42.2:otrs-doc-3.3.20-14.1 openSUSE Leap 42.2:otrs-itsm-3.3.14-14.1 openSUSE Leap 42.3:otrs-3.3.20-14.1 openSUSE Leap 42.3:otrs-doc-3.3.20-14.1 openSUSE Leap 42.3:otrs-itsm-3.3.14-14.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-11/msg00031.html https://www.suse.com/security/cve/CVE-2017-15864.html CVE-2017-15864 https://bugzilla.suse.com/1068677 SUSE Bug 1068677 Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In the agent interface, an authenticated remote attacker can execute shell commands as the webserver user via URL manipulation. CVE-2017-16664 openSUSE Leap 42.2:otrs-3.3.20-14.1 openSUSE Leap 42.2:otrs-doc-3.3.20-14.1 openSUSE Leap 42.2:otrs-itsm-3.3.14-14.1 openSUSE Leap 42.3:otrs-3.3.20-14.1 openSUSE Leap 42.3:otrs-doc-3.3.20-14.1 openSUSE Leap 42.3:otrs-itsm-3.3.14-14.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-11/msg00031.html https://www.suse.com/security/cve/CVE-2017-16664.html CVE-2017-16664 https://bugzilla.suse.com/1069391 SUSE Bug 1069391