Bug#569661: marked as done (CVE-2010-0463: privacy compromise via DNS prefetching in web mail)

Sat, 10 Jul 2010 09:21:23 -0700 

Your message dated Sat, 10 Jul 2010 16:17:25 +0000
with message-id <[email protected]>
and subject line Bug#569661: fixed in imp4 4.3.7+debian0-2
has caused the Debian Bug report #569661,
regarding CVE-2010-0463: privacy compromise via DNS prefetching in web mail
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
569661: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=569661
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: imp4
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for imp4.

CVE-2010-0463[0]:
| Horde IMP 4.3.6 and earlier does not request that the web browser
| avoid DNS prefetching of domain names contained in e-mail messages,
| which makes it easier for remote attackers to determine the network
| location of the webmail user by logging DNS requests.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0463
    http://security-tracker.debian.org/tracker/CVE-2010-0463


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkt2bKgACgkQNxpp46476aoQvACfR6rJHFEp7Id3/4pbGNGfP0Ou
lwQAoJI330KbB6ZXFf8ukHKUg/5LfL7K
=aOFp
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
Source: imp4
Source-Version: 4.3.7+debian0-2

We believe that the bug you reported is fixed in the latest version of
imp4, which is due to be installed in the Debian FTP archive:

imp4_4.3.7+debian0-2.diff.gz
  to main/i/imp4/imp4_4.3.7+debian0-2.diff.gz
imp4_4.3.7+debian0-2.dsc
  to main/i/imp4/imp4_4.3.7+debian0-2.dsc
imp4_4.3.7+debian0-2_all.deb
  to main/i/imp4/imp4_4.3.7+debian0-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart <[email protected]> (supplier of updated imp4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Sat, 10 Jul 2010 17:34:29 +0200
Source: imp4
Binary: imp4
Architecture: source all
Version: 4.3.7+debian0-2
Distribution: unstable
Urgency: medium
Maintainer: Horde Maintainers <[email protected]>
Changed-By: Gregory Colpart <[email protected]>
Description: 
 imp4       - webmail component for horde framework
Closes: 569661
Changes: 
 imp4 (4.3.7+debian0-2) unstable; urgency=medium
 .
   * Backport patches from Horde CVS (http://bugs.horde.org/ticket/8836) to turn
     off DNS prefetching when displaying untrusted content. See CVE-2010-0463
     for more information. (Closes: #569661)
   * Update to standards version 3.8.3, no further required changes.
Checksums-Sha1: 
 c69397d90e6f0892811b1a770c09eafd9750a77f 1309 imp4_4.3.7+debian0-2.dsc
 db22e4f92fcdbdadc1a60856d4517888d5ef8d29 14528 imp4_4.3.7+debian0-2.diff.gz
 c55fca260c7ca2fddb7511cee7134a3c41bca2d7 5368888 imp4_4.3.7+debian0-2_all.deb
Checksums-Sha256: 
 3d68551401d936a1f393980b972a9b5d3be34d182750e028c4a03121efed40ea 1309 
imp4_4.3.7+debian0-2.dsc
 bee745ff65d07c1af42d49ca9907ad3755d2ae8944168e08f6724e1892dd8db1 14528 
imp4_4.3.7+debian0-2.diff.gz
 27b1c3fe122baa2feeb95ae8124ef1fd4123230e97d8b64e6cc8075cd5720bb1 5368888 
imp4_4.3.7+debian0-2_all.deb
Files: 
 15d7e82d5be6fbb7ee7e281f3086c660 1309 web optional imp4_4.3.7+debian0-2.dsc
 5c3cd908206ed3722748d44a7e4442c0 14528 web optional 
imp4_4.3.7+debian0-2.diff.gz
 a7b28709522107224d0cfecd25a7a6a4 5368888 web optional 
imp4_4.3.7+debian0-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREDAAYFAkw4l7oACgkQMhdcDcECeg6lVACcDGNsjQ9Mw6eROhgFtsBnUsRa
vMsAn2L7QXfsHBYp/+JwrQNNlKldgMBq
=Nn4M
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to