openSUSE Security Update: Security update for otrs ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:1571-1 Rating: moderate References: #1043086 #1043244 Cross-References: CVE-2017-9324 Affected Products: openSUSE Leap 42.2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for otrs fixes the following issues: - CVE-2017-9324: Incorrect Access Control in OTRS - Improved SecureMode detection in Installer (OSA-2017-03, bsc#1043086) - bsc#1043244: Reflected cross-site scripting in OTRS, customer search should not return results for internal (OSA-2017-02) In addition, OTRS was updated to 3.3.17 with the following fixes: - Function "SystemDataGroupGet" has problems with empty values in oracle - Base64 encoded image does not display in article - Chrome could not display attached PDF files Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-691=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.2 (noarch): otrs-3.3.17-5.3.1 otrs-doc-3.3.17-5.3.1 otrs-itsm-3.3.14-5.3.1 References: https://www.suse.com/security/cve/CVE-2017-9324.html https://bugzilla.suse.com/1043086 https://bugzilla.suse.com/1043244