Making the Package Manager More Secure

Martin Gruner11. Jun 2018 | AdministrationCyber SecurityModifications & Packages

A user recently complained about the OTRS package manager ability to execute code from packages (CVE-2018-7567). There are good reasons for this (packages install code anyway, required for complex setup routines), but of course, it means that admins better double check the packages they install.

After looking for ways to improve the situation, we decided to slightly change the default behavior of the package manager. By default, only packages verified by OTRS can be installed now; there is a new configuration option to allow installation of packages from other/untrusted sources.

#1
Robert Ullrich at 12.06.2018, 09:07

Nice one! Thanks for this improvement! :-)

Your email address will not be published. Required fields are marked *