Ubuntu
otrs2 package

CVE-2010-0438 Multiple SQL injection vulnerabilities

Bug #523473 reported by Woo on 2010-02-17

264

This bug affects 1 person

	Status	Importance	Assigned to
otrs2 (Ubuntu)	Fix Released	Undecided	Unassigned
Hardy	Won't Fix	Undecided	Unassigned
Intrepid	Invalid	Undecided	Unassigned
Jaunty	Won't Fix	Undecided	Unassigned
Karmic	Won't Fix	Undecided	Woo

Bug Description

Binary package hint: otrs2

Multiple SQL injection vulnerabilities in Kernel/System/Ticket.pm in OTRS-Core in Open Ticket Request System (OTRS) 2.1.x before 2.1.9, 2.2.x before 2.2.9, 2.3.x before 2.3.5, and 2.4.x before 2.4.7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Tags:

CVE References

2010-0438

Revision history for this message

Woo (w-digmia) wrote on 2010-02-17:

otrs2_2.3.4-1.fixed-CVE-2010-0438.debdiff.gz Edit (628 bytes, text/plain)

Marc Deslauriers (mdeslaur) on 2010-02-17

visibility:

private → public

Marc Deslauriers (mdeslaur) on 2010-02-18

Changed in otrs2 (Ubuntu):
status:	New → Confirmed

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2010-02-22:

Thanks for the karmic debdiff.

Could you please resubmit it with the following changes:
- Proper changelog including bug number and the distribution set to karmic-security (See guidelines: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging)
- Proper patch tagging (See guidelines: http://dep.debian.net/deps/dep3/)

I have unsubscribed ubuntu-security-sponsors for now. Please re-subscribe the team when an updated debdiff has been submitted.

Changed in otrs2 (Ubuntu Karmic):
status:	New → Incomplete
assignee:	nobody → Tomas Zatko (w-digmia)

Brian Murray (brian-murray) on 2010-02-22

tags:

added: patch

Brian Murray (brian-murray) on 2010-03-03

tags:

added: patch-needswork
removed: patch

Revision history for this message

Alex Valavanis (valavanisalex) wrote on 2010-05-08:

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug is still marked as confirmed in later versions of Ubuntu.

Changed in otrs2 (Ubuntu Intrepid):
status:	New → Invalid

Revision history for this message

Alex Valavanis (valavanisalex) wrote on 2011-04-01:

Jaunty reached end-of-life on 23 October 2010. The bug is marked as confirmed in later versions of Ubuntu

Changed in otrs2 (Ubuntu Jaunty):
status:	New → Won't Fix

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-08-29:

Karmic reached end-of-life in April 2011. This bug does not affected Lucid.

Changed in otrs2 (Ubuntu Karmic):
status:	Incomplete → Won't Fix

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-08-29:

While this bug affects Ubuntu 8.04 LTS, since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures. Since this bug has been open a long time and there doesn't seem to be interest in fixing it in Hardy, I am closing it as Won't Fix for now. If someone is interested in fixing this on Hardy, please adjust this according to https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures. Thanks