Security fixes for OTRS 1.3.2
We are running 1.3.2 and have made many mods to the code all the way to the system files. The issues related to security in 1.3.2 are a top issue for us now. I would like to know if there is a set of patches that can fix this problem for OTRS 1.3.2, or are there other suggestions that would expedite getting our installation secure as soon as possible. Thanks, Mark Wallace
Hallo, hat sich inzwischen erledigt. Es funktioniert mit Base64 Kodierung. Sven Sven Waibel schrieb:
Hallo,
ich möchte per SOAP eine UTF-16 kodierte Datei bzw. eine Binärdatei als Anhang in OTRS speichern. Wie wird das von der OTRS Seite aus behandelt? Wird es automatisch dekodiert? Wenn ja, in welchem Format (base64)?
Gruß Sven
=============================================================== imbus AG, Kleinseebacher Str. 9, 91096 Möhrendorf, DEUTSCHLAND Tel. +49 9131 7518-0, Fax +49 9131 7518-50 info@imbus.de http://www.imbus.de imbus AG, Unter der Linde 16, 80939 München, DEUTSCHLAND Tel. +49 89 3219909-0, Fax +49 89 3219909-50 info@imbus.de http://www.imbus.de Vorsitzender des Aufsichtsrates: Hendrik Rässler Vorstand: Tilo Linz, Bernd Nossem, Thomas Roßner, Jörg Schulten Sitz der Gesellschaft: Möhrendorf, München Registergericht: Fürth/Bay, HRB 8365 --------------------------------------------------------------- imbus Rhein-Main GmbH, Zanggasse 6, 65719 Hofheim, DEUTSCHLAND Tel. +49 6192 92192-0, Fax +49 6192 92192-50 info@imbus.de http://www.imbus.de Geschäftsführer: Frank Schmeißner, Jörg Schulten Sitz der Gesellschaft: Hofheim Registergericht: Frankfurt am Main, HRB 52155 ===============================================================
Ok, I think i've found where the security changes in 1.3.2 were made. In the release notes it states: 1.3.3 (2005-10-20) - (2005/10/17) added security bugfix for missing SQL quote And I believe the file that the changes were made in is System/DB.pm. I would kindly ask that any developer that worked on this verify where the changes were made to fix the security problems with 1.3.2. We are going to upgrade our installation eventually, but we have made a number of customizations that will take a while to migrate, so in the meantime we need to patch our version of 1.3.2. Thanks for your help. Mark On Apr 12, 2007, at 5:41 PM, Mark D. Wallace wrote:
We are running 1.3.2 and have made many mods to the code all the way to the system files. The issues related to security in 1.3.2 are a top issue for us now. I would like to know if there is a set of patches that can fix this problem for OTRS 1.3.2, or are there other suggestions that would expedite getting our installation secure as soon as possible.
Thanks, Mark Wallace
_______________________________________________ OTRS mailing list: dev - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/dev To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/dev
Hi Mark, just use this patch. It's against OTRS 1.3.2 and will fix the security problem. :) http://users.otrs.com/~me/otrs-1.3.2-OSA-2005-01-patch.diff Greetings from Germany, Martin Edenhofer ((otrs)) :: OTRS GmbH :: Europaring 4 :: D - 94315 Straubing Fon: +49 (0) 9421 56818 0 :: Fax: +49 (0) 9421 56818 18 http://www.otrs.com/ :: Communication with success! Mark D. Wallace schrieb:
Ok, I think i've found where the security changes in 1.3.2 were made. In the release notes it states: 1.3.3 (2005-10-20) - (2005/10/17) added security bugfix for missing SQL quote
And I believe the file that the changes were made in is System/DB.pm.
I would kindly ask that any developer that worked on this verify where the changes were made to fix the security problems with 1.3.2. We are going to upgrade our installation eventually, but we have made a number of customizations that will take a while to migrate, so in the meantime we need to patch our version of 1.3.2. Thanks for your help.
Mark
On Apr 12, 2007, at 5:41 PM, Mark D. Wallace wrote:
We are running 1.3.2 and have made many mods to the code all the way to the system files. The issues related to security in 1.3.2 are a top issue for us now. I would like to know if there is a set of patches that can fix this problem for OTRS 1.3.2, or are there other suggestions that would expedite getting our installation secure as soon as possible.
Thanks, Mark Wallace
Thanks Martin. Mark On Apr 17, 2007, at 12:46 AM, Martin Edenhofer wrote:
Hi Mark,
just use this patch. It's against OTRS 1.3.2 and will fix the security problem. :)
http://users.otrs.com/~me/otrs-1.3.2-OSA-2005-01-patch.diff
Greetings from Germany,
Martin Edenhofer
((otrs)) :: OTRS GmbH :: Europaring 4 :: D - 94315 Straubing Fon: +49 (0) 9421 56818 0 :: Fax: +49 (0) 9421 56818 18 http://www.otrs.com/ :: Communication with success!
Mark D. Wallace schrieb:
Ok, I think i've found where the security changes in 1.3.2 were made. In the release notes it states: 1.3.3 (2005-10-20) - (2005/10/17) added security bugfix for missing SQL quote
And I believe the file that the changes were made in is System/DB.pm.
I would kindly ask that any developer that worked on this verify where the changes were made to fix the security problems with 1.3.2. We are going to upgrade our installation eventually, but we have made a number of customizations that will take a while to migrate, so in the meantime we need to patch our version of 1.3.2. Thanks for your help.
Mark
On Apr 12, 2007, at 5:41 PM, Mark D. Wallace wrote:
We are running 1.3.2 and have made many mods to the code all the way to the system files. The issues related to security in 1.3.2 are a top issue for us now. I would like to know if there is a set of patches that can fix this problem for OTRS 1.3.2, or are there other suggestions that would expedite getting our installation secure as soon as possible.
Thanks, Mark Wallace
_______________________________________________ OTRS mailing list: dev - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/dev To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/dev
participants (3)
-
Mark D. Wallace -
Martin Edenhofer -
Sven Waibel