Hi Christian, there was an advisory for another security issue which was fixed in OTRS 2.3.5, but also 2.1.9 and 2.2.9: http://otrs.org/advisory/OSA-2010-01-en/ Unfortunately, this advisory does not cover the issue described in the CVE you referenced. However, this issue is related to scripts/webform.pl, an example file which is not used by default in OTRS, and therefore not directly vulnerable from outside. For this file, the issue was also fixed in 2.3.5. As this is just plain perl example code and not related to the rest of the OTRS code, you can just exchange this file from a newer version of OTRS, like this version: http://source.otrs.org/viewvc.cgi/otrs/scripts/webform.pl?view=co&pathrev=re... http://source.otrs.org/viewvc.cgi/otrs/scripts/webform.pl?view=co&pathrev=re... With best regards, mg Am 25.03.11 16:16, schrieb Christian:

Hi,

about this issue: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0456

will there be a patch for the OTRS: 2.2 branch ?

Thanks for info Cheers

-- Martin Gruner Senior Developer R&D OTRS AG Europaring 4 94315 Straubing T: +49 (0)6172 681988 0 F: +49 (0)9421 56818 18 I: www.otrs.com/ Geschäftssitz: Bad Homburg, Amtsgericht: Bad Homburg, HRB 10751, USt-Nr.: DE256610065 Aufsichtsratsvorsitzender: Burchard Steinbild, Vorstand: André Mindermann Steigern Sie Ihre Effizienz um 30% - mit OTRS Help Desk 3.0: http://www.otrs.com/