rpms/otrs/EL-5 otrs-2.1.5-CVE-2008-1515.diff, NONE, 1.1 otrs.spec, 1.7, 1.8
Tomas Hoger (thoger)
fedora-extras-commits at redhat.com
Tue Apr 8 19:56:17 UTC 2008
Author: thoger
Update of /cvs/extras/rpms/otrs/EL-5
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20058
Modified Files:
otrs.spec
Added Files:
otrs-2.1.5-CVE-2008-1515.diff
Log Message:
Add upstream patch for CVE-2008-1515 / OSA-2008-01.
otrs-2.1.5-CVE-2008-1515.diff:
--- NEW FILE otrs-2.1.5-CVE-2008-1515.diff ---
Upstream patch for CVE-2008-1515 / OSA-2008-01
diff -pruN otrs-2.1.5.orig/bin/cgi-bin/rpc.pl otrs-2.1.5/bin/cgi-bin/rpc.pl
--- otrs-2.1.5.orig/bin/cgi-bin/rpc.pl 2006-08-29 15:42:35.000000000 +0200
+++ otrs-2.1.5/bin/cgi-bin/rpc.pl 2008-04-08 21:15:14.000000000 +0200
@@ -78,7 +78,18 @@ sub Dispatch {
my $Object = shift;
my $Method = shift;
my %Param = @_;
- if ($User ne $CommonObject{ConfigObject}->Get('SOAP::User') || $Pw ne $CommonObject{ConfigObject}->Get('SOAP::Password')) {
+ my $RequiredUser = $CommonObject{ConfigObject}->Get('SOAP::User');
+ my $RequiredPassword = $CommonObject{ConfigObject}->Get('SOAP::Password');
+ if ( !defined $RequiredUser || !length( $RequiredUser )
+ || !defined $RequiredPassword || !length( $RequiredPassword )
+ ) {
+ $CommonObject{LogObject}->Log(
+ Priority => 'notice',
+ Message => "SOAP::User or SOAP::Password is empty, SOAP access denied!",
+ );
+ return;
+ }
+ if ( $User ne $RequiredUser || $Pw ne $RequiredPassword ) {
$CommonObject{LogObject}->Log(
Priority => 'notice',
Message => "Auth for user $User faild!",
Index: otrs.spec
===================================================================
RCS file: /cvs/extras/rpms/otrs/EL-5/otrs.spec,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- otrs.spec 6 Jun 2007 18:56:26 -0000 1.7
+++ otrs.spec 8 Apr 2008 19:55:34 -0000 1.8
@@ -1,13 +1,14 @@
Summary: The Open Ticket Request System
Name: otrs
Version: 2.1.7
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPL
Group: Applications/Internet
URL: http://www.otrs.org/
Source0: ftp://ftp.otrs.org/pub/%{name}/%{name}-%{version}.tar.bz2
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Source1: otrs.httpd.conf
+Patch0: otrs-2.1.5-CVE-2008-1515.diff
BuildArch: noarch
Requires: perl-GDGraph
@@ -34,6 +35,7 @@
%prep
%setup -q
+%patch0 -p1
%build
# copy config file
@@ -117,6 +119,11 @@
%attr(0660,otrs,apache) %{otrsdir}/.*ail*
%changelog
+* Tue Apr 08 2008 Tomas Hoger <thoger at redhat.com> - 2.1.7-2
+- Security update: Add upstream patch for CVE-2008-1515 / OSA-2008-01
+ (Vulnerability in OTRS SOAP interface allowing remote access without
+ valid SOAP user - http://otrs.org/advisory/OSA-2008-01-en/ )
+
* Wed Jun 06 2007 Mike McGrath <mmcgrath at redhat.com> 2.1.7-1
- Upstream released new version
More information about the scm-commits
mailing list