[SECURITY] [DLA 787-1] otrs2 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 787-1] otrs2 security update
From: Jonas Meurer <mejo@debian.org>
Date: Mon, 16 Jan 2017 17:05:06 +0100
Message-id: <[🔎] 975fdbad-07e9-8756-b8dc-9f596db06ec9@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : otrs2
Version        : 3.1.7+dfsg1-8+deb7u6
CVE ID         : CVE-2016-9139
Debian Bug     : 843091


A cross-site sripting vulnerability (XSS) was discovered in OTRS, a
ticket requesting system for the web. An attacker could trick an
authenticated user into opening a malicious attachment which could
lead to the execution of JavaScript in OTRS context.
This update addresses the vulnerability by setting a strict default
HTTP content security policy that forbids loading of third-party files.

For Debian 7 "Wheezy", these problems have been fixed in version
3.1.7+dfsg1-8+deb7u6.

We recommend that you upgrade your otrs2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


- -- 
Jonas Meurer

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAlh87zIQHG1lam9AZGVi
aWFuLm9yZwAKCRBSYuf/SRBJ/hneEAC12RyZdY1Fcozh7QiojVy+0Q1BDayolxhn
r1lWKovdGkiltdMoEMxAKp6ZK92Q2au7yBWAwwpEMiYquQO8SkvSRq9SFKv4Eesr
9zOW11N/tbA2OD5uJBjrpvIDxda5fq9/nByk6MpLN/vzXu5XwUF3HtXFPzRz4M06
ikdVdqJRvAIEpY/84fWRXM0spNB8YPc/SMZwL1l23BCkrc4V4+dnMzNYXvc0fs+Z
bVZILaPmirKfOM4+UbZatP+IJKC1HdhIywjgvIIvv8/WKHYrq9SeYhdVGQvyEzxX
XgjF4KmN4QbRCGpAFzJnMS6MatHt9i/gaWDBzABOWpyAEt4muYXlKB+JpuR6pDJ1
qHjTzJ8+P2o0blqa2wGpIvjOX7GfyF/lsd9/f532ZWX+WBEcJH9e3tyoNFvsZF8p
SF7n4i4VqoDnibnzQsqdTrBI0sIKilpj/vGNU9hE9GfKQ0RC/Yc/4kYHGzkYJI05
hPL/Rk8GYoUpPXNG0EyhnytgOo34hmKrUNKESgDndluCbFTPGOja8xgkz3My4t+d
V0jMxpXlAAk26OMSJrSk4ywoMOF+AIYZ5n03pnot8Iei25sCHlAiq7eLKYBDMrUk
Vcxb98fMjw/FEKoncIRzkaVxwUp0wlkc7i8+Hm5l4RAZzxVc+LZX+2x0idWDbmvR
ALx9iJmz5w==
=cRU/
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 787-1] otrs2 security update
Next by Date: [SECURITY] [DLA 788-1] pdns-recursor security update
Previous by thread: [SECURITY] [DLA 787-1] otrs2 security update
Next by thread: [SECURITY] [DLA 788-1] pdns-recursor security update
Index(es):
- Date
- Thread