Kris76's picture


i have a problem with an old (but working fine) installation on OTRS, this problem start with the last updates.

is possible to turn off the automatics update? because the updates broke the view

thanks in advice

Jeremy Davis's picture

I assume that your OTRS install is a TurnKey v14.x appliance. As you may be aware, TurnKey is based on Debian (v14.x = Debian 8/Jessie). Debian Jessie has OTRS v3.3.18.

First up, according to the announcement of the most recent Jessie OTRS package, the update resolves 2 fairly important security issues. Namely CVE-2019-12248 and CVE-2019-12497. As such, the recommended pathway would be to work with the Debian LTS team to inform them of the regression and look at how that might be resolved.

To be honest, even if your OTRS instance is running locally and/or without any public internet access, because of the nature of the risk potentially associated with CVE-2019-12248 I'd certainly not be inclined to pursue the path I note above (I'm happy to assist with that).

Having said that, it's your server and your business, so if you wish to downgrade the package, you could try reinstalling otrs=3.3.18-1+deb8u9 (the previous security update). I'm not 100% sure that it's available, but the newest package from the main Jessie repo is 3.3.18-1+deb8u4 (i.e. there have been 6 security updates since that release), so going back that far will mean undoing lots of security updates (I can't tell you what they include, but you could find out if you wished).

So this is what I'd try if you are hell bent on downgrading the package and are willing to accept the security implications:

apt-get install otrs=3.3.18-1+deb8u9

Hopefully that will work.

To disable all security updates (so it doesn't get reinstalled) then you could just rename the security sources list file (only files ending in '.list' are used by apt when checking for new packages. So this should do the trick:

mv /etc/apt/sources.list.d/security.sources.list /etc/apt/sources.list.d/security.sources.list.disabled
Kris76's picture

Hi Jeremy,


thanks for the reply. The package 3.3.18-1+deb8u9 isn't avaiable. I have a 10 days old copy of the vm fully working, maybe i can just take a look on the OTRS conf files here.

Now i need only to find those files. Maybe is just something misconfigured, the OTRS is working fine except on the customer page (no way to see the text in the opened ticket, but if the customer use the "export ticket as pdf" all the text is avaiable. the ticket text is replaced with a "internal server error"


thanks for the support :)

Jeremy Davis's picture

Downgrading the package would have been the easiest way to go, but as it's not available, clearly that's not an option. You could have a look within the apt cache of your server (the current one and/or the backup) to see if the package is there. Do that like this:

find /var/cache/apt -type f -name "otrs*"

FWIW the 'otrs' package is a simply a metapackage (essentially an empty package that depends on other packages(s) that actually include data), the actual OTRS code is found within the 'otrs2' package (it contains OTRS3 so I'm not completely sure why it's called 'otrs2' but that's probably a whole other rabbit hole...).

The best way to go really would be to understand what the actual issue is. Perhaps the error logs might be of assistance there? It'd probably be worth checking the Apache logs, and there may also be a specific OTRS log (TBH I'm not sure...). Unfortunately though OTRS is written in Perl (my least favourite language and one I'm not super familiar with).

The error that you note, "internal server error" usually means that when Apache tried to load a page something in the backend didn't work as expected. So other than suggesting that there is a bug somewhere within OTRS (as you've already noted...) it doesn't really give us much specific to work with. I suspect that the Apache log may provide more info. You should find it at /var/log/apache2/error.log.

FWIW you can view all the contents of the 'otrs2 (3.3.18-1+deb8u10)' package here. If the issue you are hitting is specifically with the file, then you'll find that here: /usr/share/otrs/bin/cgi-bin/

However IMO it's likely a bit deeper than that (I could be wrong though...). However if you were to copy the contents of the working instance's /usr/share/otrs/ directory over the top of the broken one then that may do the trick?!

It's well worth noting that generally it's really bad practice to poke around in /usr/share as it's managed by the package management system and changes made there will likely be overwritten by future updates. However in your case (especially if you disable security updates) you should be ok.

Another option worth considering is try an "in place" Debian upgrade. As noted previously v14.x was based on Debian 8/Jessie. You could try doing an upgrade to Debian 9/Stretch. That should upgrade you to OTRS 5.0.16. Note that the OTRS package has moved to "non-free" (it's still free as in beer, but there must be some licensing changes that Debian doesn't like). So if you try that route, you'll need to enable the non-free repo.

Kris76's picture

Hi Jeremy,

after reading about /usr/share/otrs i just take a look on the files date and i discovered a difference on all *customer.* files (your tip to copy the working dir over the broken cause more problems)

watching on the apache log the problem was on the attachment so i renamed the "broken files" and moved the one working and... problem fixed

now i'm doing some more test (opening ticket, adding attachment) but right now all seems ok and working. Right now i don't know is all is fixed but i don0t know a way to say thanks

oh wait, there a donate section...


Thanks Thanks Thanks Thanks



Jeremy Davis's picture

Sorry to hear that my suggested hack only created more issues (it was always a long shot, but worth mentioning IMO).

Regardless though, it sounds like you may have worked out the issue (or at least how to work around the issue). Although it does all sound a bit strange...

Great to hear that things are now moving in the right direction though! Good luck with it all and please post back if you have any further concerns or questions. I can't guarantee that I'll have all the answers, but I'll do my best. :)

Add new comment