rpms/otrs/EL-5 otrs-2.1.5-CVE-2008-1515.diff, NONE, 1.1 otrs.spec, 1.7, 1.8

Tomas Hoger (thoger) fedora-extras-commits at redhat.com
Tue Apr 8 19:56:17 UTC 2008 

Author: thoger

Update of /cvs/extras/rpms/otrs/EL-5
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20058

Modified Files:
	otrs.spec 
Added Files:
	otrs-2.1.5-CVE-2008-1515.diff 
Log Message:
Add upstream patch for CVE-2008-1515 / OSA-2008-01.


otrs-2.1.5-CVE-2008-1515.diff:

--- NEW FILE otrs-2.1.5-CVE-2008-1515.diff ---
Upstream patch for CVE-2008-1515 / OSA-2008-01

diff -pruN otrs-2.1.5.orig/bin/cgi-bin/rpc.pl otrs-2.1.5/bin/cgi-bin/rpc.pl
--- otrs-2.1.5.orig/bin/cgi-bin/rpc.pl	2006-08-29 15:42:35.000000000 +0200
+++ otrs-2.1.5/bin/cgi-bin/rpc.pl	2008-04-08 21:15:14.000000000 +0200
@@ -78,7 +78,18 @@ sub Dispatch {
     my $Object = shift;
     my $Method = shift;
     my %Param = @_;
-    if ($User ne $CommonObject{ConfigObject}->Get('SOAP::User') || $Pw ne $CommonObject{ConfigObject}->Get('SOAP::Password')) {
+    my $RequiredUser = $CommonObject{ConfigObject}->Get('SOAP::User');
+    my $RequiredPassword = $CommonObject{ConfigObject}->Get('SOAP::Password');
+    if ( !defined $RequiredUser || !length( $RequiredUser )
+        || !defined $RequiredPassword || !length( $RequiredPassword )
+    ) {
+        $CommonObject{LogObject}->Log(
+            Priority => 'notice',
+            Message  => "SOAP::User or SOAP::Password is empty, SOAP access denied!",
+        );
+        return;
+    }
+    if ( $User ne $RequiredUser || $Pw ne $RequiredPassword ) {
         $CommonObject{LogObject}->Log(
             Priority => 'notice',
             Message => "Auth for user $User faild!",


Index: otrs.spec
===================================================================
RCS file: /cvs/extras/rpms/otrs/EL-5/otrs.spec,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- otrs.spec	6 Jun 2007 18:56:26 -0000	1.7
+++ otrs.spec	8 Apr 2008 19:55:34 -0000	1.8
@@ -1,13 +1,14 @@
 Summary:	The Open Ticket Request System
 Name:		otrs
 Version:	2.1.7
-Release:	1%{?dist}
+Release:	2%{?dist}
 License:	GPL
 Group:		Applications/Internet
 URL: 		http://www.otrs.org/
 Source0:	ftp://ftp.otrs.org/pub/%{name}/%{name}-%{version}.tar.bz2
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Source1:	otrs.httpd.conf
+Patch0:		otrs-2.1.5-CVE-2008-1515.diff
 
 BuildArch: noarch
 Requires: perl-GDGraph
@@ -34,6 +35,7 @@
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 # copy config file
@@ -117,6 +119,11 @@
 %attr(0660,otrs,apache) %{otrsdir}/.*ail*
 
 %changelog
+* Tue Apr 08 2008 Tomas Hoger <thoger at redhat.com> - 2.1.7-2
+- Security update: Add upstream patch for CVE-2008-1515 / OSA-2008-01
+  (Vulnerability in OTRS SOAP interface allowing remote access without
+  valid SOAP user - http://otrs.org/advisory/OSA-2008-01-en/ )
+
 * Wed Jun 06 2007 Mike McGrath <mmcgrath at redhat.com> 2.1.7-1
 - Upstream released new version

More information about the scm-commits mailing list