Making the Package Manager More Secure
The practical examples presented in our technical blog (blog.otrs.com) and now in the expert category in our FAQ blog section serve as a source of ideas and documentation to show what is theoretically possible with OTRS in concrete scenarios or sometimes even for more exotic configurations. All configurations presented here were developed under laboratory conditions as a proof of concept.
We can only guarantee testing and implementation of these concepts to be error-free and productive if implemented in a workshop with one of our OTRS consultants. Without this, the responsibility lies with the customer himself. Please note that configurations from older OTRS versions may not work in the newer ones.
A user recently complained about the OTRS package manager ability to execute code from packages (CVE-2018-7567). There are good reasons for this (packages install code anyway, required for complex setup routines), but of course, it means that admins better double check the packages they install.
After looking for ways to improve the situation, we decided to slightly change the default behavior of the package manager. By default, only packages verified by OTRS can be installed now; there is a new configuration option to allow installation of packages from other/untrusted sources.