Your message dated Sat, 25 Apr 2020 15:02:14 +0000 with message-id <e1jsmjq-0007yc...@fasolo.debian.org> and subject line Bug#955020: fixed in php-horde-form 2.0.18-3.1+deb10u1 has caused the Debian Bug report #955020, regarding php-horde-form: CVE-2020-8866 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 955020: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955020 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-horde-form Version: 2.0.19-1 Severity: important Tags: security upstream Control: found -1 2.0.18-3.1 Control: found -1 2.0.15-1+deb9u1 Control: found -1 2.0.15-1 Hi, The following vulnerability was published for php-horde-form. CVE-2020-8866[0]: | This vulnerability allows remote attackers to create arbitrary files | on affected installations of Horde Groupware Webmail Edition 5.2.22. | Authentication is required to exploit this vulnerability. The specific | flaw exists within add.php. The issue results from the lack of proper | validation of user-supplied data, which can allow the upload of | arbitrary files. An attacker can leverage this in conjunction with | other vulnerabilities to execute code in the context of the www-data | user. Was ZDI-CAN-10125. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8866 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8866 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-horde-form Source-Version: 2.0.18-3.1+deb10u1 Done: robe...@debian.org (Roberto C. Sanchez) We believe that the bug you reported is fixed in the latest version of php-horde-form, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 955...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Roberto C. Sanchez <robe...@debian.org> (supplier of updated php-horde-form package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 24 Mar 2020 13:55:11 -0400 Source: php-horde-form Architecture: source Version: 2.0.18-3.1+deb10u1 Distribution: buster Urgency: high Maintainer: Horde Maintainers <team+debian-horde-t...@tracker.debian.org> Changed-By: Roberto C. Sanchez <robe...@debian.org> Closes: 955020 Changes: php-horde-form (2.0.18-3.1+deb10u1) buster; urgency=high . * Fix CVE-2020-8866: The Horde Application Framework contained a remote code execution vulnerability. An authenticated remote attacker could use this flaw to upload arbitrary content to an arbitrary writable location on the server and potentially execute code in the context of the web server user. (Closes: #955020) Checksums-Sha1: 75b55c10b7cca8263c90efd012520173c377a7a3 2032 php-horde-form_2.0.18-3.1+deb10u1.dsc f9d230e6869c253acb2bcd5f4fba752b895e9db9 197432 php-horde-form_2.0.18.orig.tar.gz 446d553eba62a9c745afea5a6aea74205cc13922 3724 php-horde-form_2.0.18-3.1+deb10u1.debian.tar.xz 4ddbbed7c76430e347003bc84bd77358b2a1cd6f 5859 php-horde-form_2.0.18-3.1+deb10u1_amd64.buildinfo Checksums-Sha256: 17fa8e1eea8111152fe8b69e1f2bf7929f7c30c3077913395677817727638599 2032 php-horde-form_2.0.18-3.1+deb10u1.dsc 0fd6c9c45156f56f462b38283530485eb8992968fc5c4849d2b669150d028110 197432 php-horde-form_2.0.18.orig.tar.gz d8146904f0dcf0850704cac2e47cdb8f537a8d32b8ce1698c2fbb5020ae537b0 3724 php-horde-form_2.0.18-3.1+deb10u1.debian.tar.xz 4d02a481fe7033b849bc4dc7e19176f850823f34c0d86437febc7e0f71caa9c6 5859 php-horde-form_2.0.18-3.1+deb10u1_amd64.buildinfo Files: 6704ca7e4c685a830d2c1e8beb2f1031 2032 php optional php-horde-form_2.0.18-3.1+deb10u1.dsc 0d044b0aa6f50d8f10758791d00c520a 197432 php optional php-horde-form_2.0.18.orig.tar.gz d20f6edf9c4bd01c42b50e3994ded774 3724 php optional php-horde-form_2.0.18-3.1+deb10u1.debian.tar.xz 3b6a35ef5dd8f4b0a69e247be70f144a 5859 php optional php-horde-form_2.0.18-3.1+deb10u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TE3QACgkQLNd4Xt2n sg+Uqg/+O7uL8pRMTbN4/o7tRWEbDIaOsJTlqMmEu+LGXOASjxoPA1yQZm21HhKz L6qgon1w8+4QhyKBt90cAdweot6gVk/+QCDVR+PiR1E9HjVC280q1FD3kCClqnUr cgnrZLloY+pGwzjRrLjCKAq+chydWtMDhgAfTBPVXVGxcxhUvQW110SuFN8I6nzY etZsvJ0oscSyFkLl/lnLauRx479KG9Q8H9KSyThBvLGb0g1/rW1BAdwJ5nI03kU1 Sw8BJZVGloSF29HOiCvLQq2qtI9DOnrvuI96Seu0e+cvakALVBRhDgEHmG8t7VIN TjQA2s/zYwN5FV94lKV7/78hn2Wwm1Ptv3e1yRzz9D8InJFDyhKjM9Ruw2lEBOdN m0cqMT4EKgGfFksB/cSbx0LNdSMLDRMp32tUSfgBG/QgM+V7hLZ6qkkdKm6eBAXm vWsHq7HYDBbiHj/AbnHWtBEqrzwlh3NPr0gL7BsycFxquKCcNOB15mqANc3XbxBn KuXwQ6jc2IYrk7lGEGri9wkP2KNKsUEsE1wgu3UvSWhbinh+2At0oIEs6JsZTRQr 6CmQHeMsZhRl4f4DRpg3Swz1ISb1ewN+YaglX7EoXo7H3KCBvxAzvrIPYCD0/x/s mkU/6Ksf5k9IbkCEy13UwtBpyeWpi1C0x60sJ2RMxpuHnuhxhy4= =4do8 -----END PGP SIGNATURE-----
--- End Message ---
