Your message dated Tue, 30 Jun 2020 05:48:32 +0000 with message-id <e1jq98c-000bgs...@fasolo.debian.org> and subject line Bug#963809: fixed in php-horde 5.2.23+debian0-1 has caused the Debian Bug report #963809, regarding php-horde: CVE-2020-8035 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 963809: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963809 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-horde Version: 5.2.21+debian1-1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 5.2.20+debian0-1+deb10u1 Control: found -1 5.2.13+debian0-1+deb9u1 Hi, The following vulnerability was published for php-horde. CVE-2020-8035[0]: | The image view functionality in Horde Groupware Webmail Edition before | 5.2.22 is affected by a stored Cross-Site Scripting (XSS) | vulnerability via an SVG image upload containing a JavaScript payload. | An attacker can obtain access to a victim's webmail account by making | them visit a malicious URL. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8035 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8035 [1] https://github.com/horde/base/commit/64127fe3c2b9843c9760218e59dae9731cc56bdf [2] https://lists.horde.org/archives/announce/2020/001290.html Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-horde Source-Version: 5.2.23+debian0-1 Done: Mike Gabriel <sunwea...@debian.org> We believe that the bug you reported is fixed in the latest version of php-horde, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 963...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel <sunwea...@debian.org> (supplier of updated php-horde package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 30 Jun 2020 07:25:02 +0200 Source: php-horde Architecture: source Version: 5.2.23+debian0-1 Distribution: unstable Urgency: medium Maintainer: Horde Maintainers <team+debian-horde-t...@tracker.debian.org> Changed-By: Mike Gabriel <sunwea...@debian.org> Closes: 725001 778750 963809 Changes: php-horde (5.2.23+debian0-1) unstable; urgency=medium . [ Juri Grabowski ] * New upstream version 5.2.23+debian0 - CVE-2020-8035: Don't allow one to view images inline if opened directly. (Closes: #963809). . [ Mike Gabriel ] * d/control: Add to Uploaders: Juri Grabowski. * d/control: Bump DH compat level to version 13. * d/salsa-ci.yml: Add file with salsa-ci.yml and pipeline-jobs.yml calls. * d/patches: Rebase 2001_Fix-rewrite-base.patch (new upstream). * d/rules: Symlink global .htaccess to site_access in /etc/horde/. (Closes: #725001). * d/rules: Manage themes in /etc/horde/. (Closes: #778750). Checksums-Sha1: 2ee87070ac8625b833295dfde7d4595eecebbffb 2086 php-horde_5.2.23+debian0-1.dsc 0413bd7c11318ed5da68d14e5b4bd48004353173 2931722 php-horde_5.2.23+debian0.orig.tar.gz edc32d61bbfef526f4f31a03f0dc05f9ac4a4158 47856 php-horde_5.2.23+debian0-1.debian.tar.xz 8096d2a6efdf71c76149e669b80e8250469ec918 7061 php-horde_5.2.23+debian0-1_source.buildinfo Checksums-Sha256: ffe9bae5799a2d89995667d84935a026d4ad16a93f188a98f6132579e94523dc 2086 php-horde_5.2.23+debian0-1.dsc 18c41b72de537651504761f466f5aa51c3733d4262e966b41ca6b332679e70b5 2931722 php-horde_5.2.23+debian0.orig.tar.gz 478b0378edd5261273b490b89f0ed4b6d8d2af90e8b7e4bc4d21eb0116e07845 47856 php-horde_5.2.23+debian0-1.debian.tar.xz d9f8a834cbddf83330061e1eb9ecc39ade303d6e3531c6454cd0500ee6cedbf3 7061 php-horde_5.2.23+debian0-1_source.buildinfo Files: acc7a5d8bd3482c658a4fbea7d7a6cde 2086 php optional php-horde_5.2.23+debian0-1.dsc db93116c6395f31b032074e38500e250 2931722 php optional php-horde_5.2.23+debian0.orig.tar.gz 3fdb373885ad3aaac2d28111b348997f 47856 php optional php-horde_5.2.23+debian0-1.debian.tar.xz 963cf70d647883e64935caf905f0fab4 7061 php optional php-horde_5.2.23+debian0-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl76zP8VHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxrv0P/2ZCN1Dv7X8gxuYU5YvRHe4lumYB S7IG3Jfh07+QH0UITxJJ8oLy6L3xZ12OANpZhU9lYZkYSW7A44KnsBZi/jVkeRaK LZYc6UzdRQRJZLQ/Dztx118mNBXy9Ws/JXbRPgRdMEj/bq3NpqXfUUn7KKstgy6z WWxXAOZxkrxo1+rCIT3TKY5CQkJ3BgRM0tk7nSvXrM95dS6bLyeSiyeya+oVk77B NroIfa9q93Xgk+r/pKOXMrIbV9n/3FYe6XQaiAtSiEj4KupS2naTheNYvSWHxiYR UTLLLL4t2EBkRKU9uxI6YfxVB3fbArHNhiNO/GALO0PWLjWpd2CL1sh3X9mjw18n PGDmg+eLSZAp/eFMRd0eOTSFwsCIu85SbsW67fN+Q4ZrUIxY96lPvtkHnX1r++wz X+Dd5Q77Nc1Cd1GJbuTuZfzcR5hpGebbowvUde6stA311xlToVdrx6Lg/hQDsPz7 S8KobdKrRfz3BuxgoJ4YkLnbRCvu/c87svBmlvx/20UDFSSzY+5HxqsUczm6qZ2K spPm3pZQ0lVshadYi8Zzid2rzOvjFImZnEX0DPd1VWqyxvwYssail1KM9XwpZ5uK KLNQx1MkhWCwsoKHQbDoZviFJqnL9aFM1Ir8Icn7Xd741MbTplcdtSqoj/dlfD2Y gXCMDV1pzhjWWib9 =/vKo -----END PGP SIGNATURE-----
--- End Message ---
