-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 07 Dec 2017 13:51:47 +0100 Source: otrs2 Binary: otrs2 otrs Architecture: source all Version: 5.0.16-1+deb9u4 Distribution: stretch-security Urgency: high Maintainer: Patrick Matthäi <pmatthaei@debian.org> Changed-By: Patrick Matthäi <pmatthaei@debian.org> Description: otrs - Open Ticket Request System (OTRS 5) otrs2 - Open Ticket Request System Closes: 883774 Changes: otrs2 (5.0.16-1+deb9u4) stretch-security; urgency=high . * Add patch 19-CVE-2017-16921: This fixes OSA-2017-09, also known as CVE-2017-16921: An attacker who is logged into OTRS as an agent can manipulate form parameters and execute arbitrary shell commands with the permissions of the OTRS or web server user. Closes: #883774 * Add patch 18-CVE-2017-16854: This fixes OSA-2017-08, also known as CVE-2017-16854: An attacker who is logged into OTRS as a customer can use the ticket search form to disclose internal article information of their customer tickets. Checksums-Sha1: b90b280cfba8c0d3fd997e90e7f21eb567c629f4 1838 otrs2_5.0.16-1+deb9u4.dsc 7eeec0cc2589a7f60b1ab667a68f3de8dfdcb69f 52152 otrs2_5.0.16-1+deb9u4.debian.tar.xz f58783ec93abcd393a358faaac83018bf07c3250 7053752 otrs2_5.0.16-1+deb9u4_all.deb 17489cbc3e469f5e0481b47c2f2cb44d2745d76d 7279 otrs2_5.0.16-1+deb9u4_amd64.buildinfo ec45137c9b38e67d5be87a7c95a46240e1d1bb45 213212 otrs_5.0.16-1+deb9u4_all.deb Checksums-Sha256: 87a516cb0f449aee5fd11e4b5d152c1631211ea9a713582d58df1aaad2318832 1838 otrs2_5.0.16-1+deb9u4.dsc 39c63d62e493170b47feef78be0f38100c5717838fb7c375ad30b1cc583a431a 52152 otrs2_5.0.16-1+deb9u4.debian.tar.xz 5962af54dabba02c7eedb70f4bb9031d9a5ed469b7aae9454dba1f845adccb85 7053752 otrs2_5.0.16-1+deb9u4_all.deb 3c0e68d4afdcff7c50d77abc7eed1a8f9b8aaa73ac0e25fcbe6850ab88b9709c 7279 otrs2_5.0.16-1+deb9u4_amd64.buildinfo 28a297166d8f728edd2fe9612dc81cf51b609ad8ca1259f41dc93beb950a08e1 213212 otrs_5.0.16-1+deb9u4_all.deb Files: 62fe6b57e57280b0b680a6a97490dd31 1838 non-free/web optional otrs2_5.0.16-1+deb9u4.dsc bbdc224d8646474decab84dc81afbe45 52152 non-free/web optional otrs2_5.0.16-1+deb9u4.debian.tar.xz 75733df4f0b955d9e133cbc330818b7e 7053752 non-free/web optional otrs2_5.0.16-1+deb9u4_all.deb 4bf2258579e06ffc2855a6e2a29fa5bf 7279 non-free/web optional otrs2_5.0.16-1+deb9u4_amd64.buildinfo eca8a54d47f6bf2166ae1a53a435b989 213212 non-free/web optional otrs_5.0.16-1+deb9u4_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAloyM+gACgkQEtmwSpDL 2OQ+bA//VwaCMiqhVhqWxn3YrQlMWa7btgtyrwSwhsH/kL9+tD6ubY+7BO3PMDe0 UVCR00BTnueb2FoNHZrcJUEA9KRv/TtO9P+H5qrPJlUPZOs8x91zYmpihk5ILTwc 3L6IdOwQgKPaDmdRaDZ0KkKHBtQjilk4NxSnUOGxsKF0Abvbf76wIW1VW5yqmiaU l9VQmZ8a2BEFIV+7Sa841vk3Vf5InlxLzyJLnvsROo2uwkEsqzIQAut7bo+POZqS rJPZ+RplSPJIIW1GoM8GEcLcnPc7HzW3xgzEcEBGeI0vUjZx0YhWQnwWJOg0M4N1 nTNfZe36/lNriMyNh4EKFVxqtUDjJC7sr/51MxPTUuu63iNx9vyikmKCBPhnOebF yv8209U25UHiuqYs5YjqlapOtobL2HQasZsf4E9vetJ/OE4C83UXXUj8ZoYM3Q4I VJ/0DGiAeY8YhLLLt1qSNOOB0jNUiW2UrTU3Ex3JP7UKb0OMZ6ArDs8gYYPHdYPR 2iKYE+9FsZ2LI+vUcUgwg2a65V0xFDZpGJY9qQvAlmVQiH1EwIcwnf4HDj3UlBZ8 2XCeGD5ooOCWFScaHZJF5duM5KPQ7LeyQqXyH7zG2X6CmXEuWNc7iNKQetxDR3gH MtfYdbV5H6rlTmBrIBA8E4Zk9M6UjOR9xVLyxbdjzOa6SEkorA8= =zydQ -----END PGP SIGNATURE-----