Your message dated Fri, 21 Mar 2008 07:52:14 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#470640: fixed in horde3 3.1.3-4etch3
has caused the Debian Bug report #470640,
regarding horde3: CVE-2008-1284 file inclusion vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
470640: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470640
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: horde3
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for horde3.
CVE-2008-1284[0]:
| Directory traversal vulnerability in Horde 3.1.6, Groupware before
| 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with
| certain configurations, allows remote authenticated users to read and
| execute arbitrary files via ".." sequences and a null byte in the
| theme name.
Patch is on:
http://ftp.horde.org/pub/horde/patches/patch-horde-3.1.6-3.1.7.gz
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1284
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpFiZWDM9UhB.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: horde3
Source-Version: 3.1.3-4etch3
We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:
horde3_3.1.3-4etch3.diff.gz
to pool/main/h/horde3/horde3_3.1.3-4etch3.diff.gz
horde3_3.1.3-4etch3.dsc
to pool/main/h/horde3/horde3_3.1.3-4etch3.dsc
horde3_3.1.3-4etch3_all.deb
to pool/main/h/horde3/horde3_3.1.3-4etch3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <[EMAIL PROTECTED]> (supplier of updated horde3
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 15 Mar 2008 19:08:56 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.1.3-4etch3
Distribution: stable-security
Urgency: high
Maintainer: Horde Maintainers <[EMAIL PROTECTED]>
Changed-By: Gregory Colpart (evolix) <[EMAIL PROTECTED]>
Description:
horde3 - horde web application framework
Closes: 470640
Changes:
horde3 (3.1.3-4etch3) stable-security; urgency=high
.
* Fix arbitrary file inclusion through abuse of the theme preference (see
CVE-2008-1284 for more informations). (Closes: #470640
Files:
f8929682acb675550e4235c62a99cbe6 974 web optional horde3_3.1.3-4etch3.dsc
d79fbe74794a4f6c70f208ba3a55bebc 13100 web optional horde3_3.1.3-4etch3.diff.gz
d4a9a4db3744a2cd496ed499c39ec6b3 5270328 web optional
horde3_3.1.3-4etch3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR9xW32z0hbPcukPfAQLDvQf/ZCo39dkZINdsUdCB3FGYfmkqESY/HhSb
GXvgv76Z8/xC/4ADRXFw9lNdrkn74ADkb4kjU36isu85KbGAZ3tp5d0FSQiTkZyj
6VmZ5EAThq+NXk2eLsQNbtV777gTkd/uRu0TwFaj/jCMkrL/25slpdK+Kw+/s5m3
ZlTCyO5QO35sOXndyrUAgBLxuq21oQZK8ictU+8dvMNCOPEitoFGTNFjOiG41Kv3
gPy9zZdLpfi4ffONE4749yFa1vCR3kDRCL3+P8rlgpuYNak1IsXEN4PHKXJMt40M
H/16hMAcaoS7RX0e82pMvfN1n5xn+XkYft8esgEGPvxJXFxsN18CBQ==
=N1YO
-----END PGP SIGNATURE-----
--- End Message ---
