Your message dated Sat, 25 Apr 2020 15:17:26 +0000 with message-id <e1jsmyy-000aha...@fasolo.debian.org> and subject line Bug#955020: fixed in php-horde-form 2.0.15-1+deb9u2 has caused the Debian Bug report #955020, regarding php-horde-form: CVE-2020-8866 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 955020: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955020 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-horde-form Version: 2.0.19-1 Severity: important Tags: security upstream Control: found -1 2.0.18-3.1 Control: found -1 2.0.15-1+deb9u1 Control: found -1 2.0.15-1 Hi, The following vulnerability was published for php-horde-form. CVE-2020-8866[0]: | This vulnerability allows remote attackers to create arbitrary files | on affected installations of Horde Groupware Webmail Edition 5.2.22. | Authentication is required to exploit this vulnerability. The specific | flaw exists within add.php. The issue results from the lack of proper | validation of user-supplied data, which can allow the upload of | arbitrary files. An attacker can leverage this in conjunction with | other vulnerabilities to execute code in the context of the www-data | user. Was ZDI-CAN-10125. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8866 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8866 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-horde-form Source-Version: 2.0.15-1+deb9u2 Done: robe...@debian.org (Roberto C. Sanchez) We believe that the bug you reported is fixed in the latest version of php-horde-form, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 955...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Roberto C. Sanchez <robe...@debian.org> (supplier of updated php-horde-form package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 24 Mar 2020 13:54:47 -0400 Source: php-horde-form Binary: php-horde-form Architecture: source Version: 2.0.15-1+deb9u2 Distribution: stretch Urgency: high Maintainer: Horde Maintainers <pkg-horde-hack...@lists.alioth.debian.org> Changed-By: Roberto C. Sanchez <robe...@debian.org> Description: php-horde-form - ${phppear:summary} Closes: 955020 Changes: php-horde-form (2.0.15-1+deb9u2) stretch; urgency=high . * Fix CVE-2020-8866: The Horde Application Framework contained a remote code execution vulnerability. An authenticated remote attacker could use this flaw to upload arbitrary content to an arbitrary writable location on the server and potentially execute code in the context of the web server user. (Closes: #955020) Checksums-Sha1: d60d62a4780290e180e7d9190d9cee566fea1a06 2041 php-horde-form_2.0.15-1+deb9u2.dsc d9fab15615b703171abbca2b4d7cb906a2e170e2 3648 php-horde-form_2.0.15-1+deb9u2.debian.tar.xz 0398eb71fd79bbb2887aaf3be808bfa105f9bba9 6209 php-horde-form_2.0.15-1+deb9u2_amd64.buildinfo Checksums-Sha256: b2f25b609586c3dbd603ca99d54af81d3c9ff516def7e2c476bea2d9abb59191 2041 php-horde-form_2.0.15-1+deb9u2.dsc 1bca7901e8299b4bbe2a24dc7e5c332c600522b076bd0c6513af73ce7caddbc6 3648 php-horde-form_2.0.15-1+deb9u2.debian.tar.xz fdbe81fca38d651c2991d433a50969c834a9e52baaf9dbacf9151a01ab236dae 6209 php-horde-form_2.0.15-1+deb9u2_amd64.buildinfo Files: 336a83d214bcd245659d47111e4a584e 2041 php extra php-horde-form_2.0.15-1+deb9u2.dsc 8dba018531d7b835c9de1932f354547d 3648 php extra php-horde-form_2.0.15-1+deb9u2.debian.tar.xz 43e5adad0c86e5e83347aeeab8cdfe40 6209 php extra php-horde-form_2.0.15-1+deb9u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TE2kACgkQLNd4Xt2n sg/p8Q/+O4X2SmRtUA/EYTs4os0qkbUjo33QOqJINZF5ZQ/u8AKd07f+2QQopnt6 VaXRfn+J+NhQ7++OgzSE+oB7Px0RcWJ55HuKZ9HXDEgO1U/Qm6pi1rcoIUM3gvY1 lHWn2Fs4SB3G5BCgINFr3VKNjNA8bZzOFpS7dc0ruepiL3GF94AtViu7aCFrdrML fxmxcfvjdjTV2r0ELiIARBtORE5jqFMMpn9TlO0wOHfwmSo7Um5lLfF6U75tcnYk S5QYjqIQEcwGEAlM6sNOvO13OB2Yz8/pOhWxvGKm59Y1aPa2CVi355Y+/gUZtHiV 48Xro88uhguWAZxgz6IRYNBdchi5ZzJIOxSfX2CnuJdI2PKFgsQEhA2hJtiRcxG2 hxX9spI0hgE/2vGBX1Pxtz9SY35nvIoaZFKistDACqaWtU0Nkv+VJv5wL7MSKAQU e6YtNgfZUqx73aNez48rvbn8qnxpQwmpfYruKxFQU/RRHXrJp62aXdNv/N8RHb/w odgb3RnXAjck2kbYKyvu2KlGM5PW0lkk4KBFwuh0lHt45svija0FIoTvASLxsM2J lEqM9bjPzy1BlxKQXHIE1ngpafiCpT8ff6jSPvjULa6RAx25dPJCQLZX8AYM35Fz wGNspN64r0HD9kUrJKt5i/ezzZDrf0NOunQBcoEbIz2nA+aP8qw= =wqIa -----END PGP SIGNATURE-----
--- End Message ---
