Your message dated Sat, 25 Apr 2020 15:02:14 +0000 with message-id <e1jsmjq-0007yt...@fasolo.debian.org> and subject line Bug#955019: fixed in php-horde-trean 1.1.9-3+deb10u1 has caused the Debian Bug report #955019, regarding php-horde-trean: CVE-2020-8865 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 955019: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955019 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-horde-trean Version: 1.1.9-4 Severity: important Tags: security upstream Control: found -1 1.1.9-3 Hi, The following vulnerability was published for php-horde-trean. CVE-2020-8865[0]: | This vulnerability allows remote attackers to execute local PHP files | on affected installations of Horde Groupware Webmail Edition 5.2.22. | Authentication is required to exploit this vulnerability. The specific | flaw exists within edit.php. When parsing the params[template] | parameter, the process does not properly validate a user-supplied path | prior to using it in file operations. An attacker can leverage this in | conjunction with other vulnerabilities to execute code in the context | of the www-data user. Was ZDI-CAN-10469. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8865 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8865 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-horde-trean Source-Version: 1.1.9-3+deb10u1 Done: robe...@debian.org (Roberto C. Sanchez) We believe that the bug you reported is fixed in the latest version of php-horde-trean, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 955...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Roberto C. Sanchez <robe...@debian.org> (supplier of updated php-horde-trean package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 10 Apr 2020 20:31:30 -0400 Source: php-horde-trean Architecture: source Version: 1.1.9-3+deb10u1 Distribution: buster Urgency: high Maintainer: Horde Maintainers <team+debian-horde-t...@tracker.debian.org> Changed-By: Roberto C. Sanchez <robe...@debian.org> Closes: 955019 Changes: php-horde-trean (1.1.9-3+deb10u1) buster; urgency=high . * Fix CVE-2020-8865: The Horde Application Framework contained a directory traversal vulnerability resulting from insufficient input sanitization. An authenticated remote attacker could use this flaw to execute code in the context of the web server user. (Closes: #955019) Checksums-Sha1: 96594088177b09e019395932691bb26868efb108 2044 php-horde-trean_1.1.9-3+deb10u1.dsc b6e07bfd1b2a706fb69f3d6c39e0b0036243a315 663125 php-horde-trean_1.1.9.orig.tar.gz 39597d13a50e4e6b4ab59211d98d06bcad8d48fd 3860 php-horde-trean_1.1.9-3+deb10u1.debian.tar.xz 50f818af7c456a469e88db587d54ac067a543cb7 5882 php-horde-trean_1.1.9-3+deb10u1_amd64.buildinfo Checksums-Sha256: 6cd58713d0f99589f37217d31e3f86d7134ac8bbc0113d7921fc5af6cbb42bf3 2044 php-horde-trean_1.1.9-3+deb10u1.dsc 52b0b5f5f0249b0f60428f442cdd8f6e7f8b64661ca898697d631be54b80f860 663125 php-horde-trean_1.1.9.orig.tar.gz f11593710485b848b872df905d634d3f0af760558481751db02aa776e6a19063 3860 php-horde-trean_1.1.9-3+deb10u1.debian.tar.xz ce5f8fe73dad46bd52de8ec34e5476080772d8a826928715daa4239ba707dfd7 5882 php-horde-trean_1.1.9-3+deb10u1_amd64.buildinfo Files: 8683ba7221b8d22dfca4e2c3d1e76fc0 2044 php optional php-horde-trean_1.1.9-3+deb10u1.dsc 8270bfa071136801b41f6b2cb5c9d508 663125 php optional php-horde-trean_1.1.9.orig.tar.gz 455ece5d01ef4b1908e29a0694a8ad65 3860 php optional php-horde-trean_1.1.9-3+deb10u1.debian.tar.xz 9e2962d393ce2f86aae108904cc11660 5882 php optional php-horde-trean_1.1.9-3+deb10u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TE4UACgkQLNd4Xt2n sg9zqA//UWjJSB3+hWi9WCDR5hEEwyH2siZpJDLxU/uh44MpXJFvtywv7fjHHFgT Tzd2CQyDWPIhRiwnmd3XaIGsg9N0xtEIFsmIRf2yVQlPS7J3hbDtS9blzDWqwdc8 dm7u+n3cZ/cFxVTUKXdyBT7OYkmfpez96rgOP5v9phmTo1rEqkTHeOYJST3NjsBP xL9dY6Ge5ktTMA5CBqmvJDl2+ILLHfmJ8Clb5ZQ8fJ1C7vL/xRSwO9owHwRP3MDy CdoKOZhECaLssL3/CkYq3eEXF8q4FO5O4kG+cJN5PyffjnaegaBe6VkAY5gPelAy a6e+vxJvFs6cFyeXInAayHLBKdCroEpSRN8mzROCi6mc4zK6HYr3cpQZPnXKi1MX lp1+5H+i/i7dhhpBV7RWsm1nP2ccYpnmIwKSP0KhJGxV8p80jWNsXI9CqSxWybdf S6us8pRB7od99Lk8pRmb+63o5LdvYKpj6UP6wKtfbvoG9YS6sz6vdqy1EesOSSqJ 9TjcXLOtqZjECuRqvwTwWlppE01pmRSI82hbIbMKxmiDbczl5gQd+BBQSaWa7pHG HSWLjbWktVH5DRzsLFxx7qE+G0WzMoXOG40jq6sKAW68B1J2keE+cvH7gu++V4Z+ TleUQXC3fKtcn2CLWgrTaY4V4urbYoA52Sl4BdIzk6lC2B3Jykk= =GLjg -----END PGP SIGNATURE-----
--- End Message ---
