Your message dated Tue, 30 Jun 2020 09:04:19 +0000 with message-id <e1jqcbf-0001ey...@fasolo.debian.org> and subject line Bug#955020: fixed in php-horde-form 2.0.20-1 has caused the Debian Bug report #955020, regarding php-horde-form: CVE-2020-8866 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 955020: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955020 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-horde-form Version: 2.0.19-1 Severity: important Tags: security upstream Control: found -1 2.0.18-3.1 Control: found -1 2.0.15-1+deb9u1 Control: found -1 2.0.15-1 Hi, The following vulnerability was published for php-horde-form. CVE-2020-8866[0]: | This vulnerability allows remote attackers to create arbitrary files | on affected installations of Horde Groupware Webmail Edition 5.2.22. | Authentication is required to exploit this vulnerability. The specific | flaw exists within add.php. The issue results from the lack of proper | validation of user-supplied data, which can allow the upload of | arbitrary files. An attacker can leverage this in conjunction with | other vulnerabilities to execute code in the context of the www-data | user. Was ZDI-CAN-10125. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8866 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8866 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-horde-form Source-Version: 2.0.20-1 Done: Mike Gabriel <sunwea...@debian.org> We believe that the bug you reported is fixed in the latest version of php-horde-form, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 955...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel <sunwea...@debian.org> (supplier of updated php-horde-form package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 30 Jun 2020 10:36:20 +0200 Source: php-horde-form Architecture: source Version: 2.0.20-1 Distribution: unstable Urgency: medium Maintainer: Horde Maintainers <team+debian-horde-t...@tracker.debian.org> Changed-By: Mike Gabriel <sunwea...@debian.org> Closes: 955020 Changes: php-horde-form (2.0.20-1) unstable; urgency=medium . [ Juri Grabowski ] * New upstream version 2.0.20 * SECURITY: Prevent ability to specify temporary filename (CVE-2020-8866) (Closes: #955020). . [ Mike Gabriel ] * d/salsa-ci.yml: Add file with salsa-ci.yml and pipeline-jobs.yml calls. * d/control: Bump DH compat level to version 13. * d/control: Add to Uploaders: Juri Grabowski. Checksums-Sha1: af5162b88ec4318ab69db428b36ebda4a94180a7 2063 php-horde-form_2.0.20-1.dsc fa7b0bb1c927176c54c38cf94b886e6291c84cad 198229 php-horde-form_2.0.20.orig.tar.gz ad0747258858e8623ea6eb14370b16e57d414b03 3368 php-horde-form_2.0.20-1.debian.tar.xz dfcbeabbba8264ae4a7573fecd19083be7b15b17 7024 php-horde-form_2.0.20-1_source.buildinfo Checksums-Sha256: f3945070f3b2ee8590ae3b59977076debf7398fc82c45b552e02f7c310bc6790 2063 php-horde-form_2.0.20-1.dsc dc2c993464d7f192c938cfbb4cbe9630bce6d23ce141a0a52efb83a71b99e177 198229 php-horde-form_2.0.20.orig.tar.gz 70f21b9803a04088f7aad3edbe64c6234991bb749d5ba5df9bb00c8ae9e3d682 3368 php-horde-form_2.0.20-1.debian.tar.xz 28de4848d620b05c9dce02a8aea9a0998ecb8f4e6d62538923e1b1d6d6634ace 7024 php-horde-form_2.0.20-1_source.buildinfo Files: 8b4434af56523a74cb0dade900cc697b 2063 php optional php-horde-form_2.0.20-1.dsc 6a7a2b3d5c7163fe68b0587aaeef6361 198229 php optional php-horde-form_2.0.20.orig.tar.gz 3dcd1c2b70f54a775a68ad08a98c81ae 3368 php optional php-horde-form_2.0.20-1.debian.tar.xz ce7863a7a0d959101ef378496e5ae61c 7024 php optional php-horde-form_2.0.20-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl76+aQVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxB9YQAJU1FYbED48AZCofeDmtqTSG9/vc 02PWbrpXE6l5jTooFHg6oIKXJeIuUsI8I8Sk8BYO3KT0Z5b/yfvQMbN8Y2x+MZo2 WnHbyS/rk2E2C2BZgb/WSRocjZnguWr5VtHPg1MIJtv445bvO7gY8S+5uCO1jV3q efElXd+uu+SR9kzgfvLy5NHQR6UTx2bRwuhkjOtpYVq8H2pAoQTBpDBWhIkrZ0Mi 9Xct+xu4iSyyxijP8EphV/vG3oJGJf1ZixQ93h/VDKRfAJAb5RHMwJC5eHqtOBHV nB+VXWuS+exq9wfrH7zxizE7f4PtJFQeToEYIe/g7lIMiLM0vSPUYI+LB8Z/CTMS 8VDOaRsxeesIzubCh9rwVGOQreWbHAh6Ju3e+cEelcK8zLMZRZuaYiMfOyOXZ/Ep tNQIakB8O0sxsVKbmMXCgDFyiHiG9Bbha7elIQ+3kUTHP0MjRrky4idHiZIbKyth NqNduNbRza9wWU6yWV8RdmDU9maC0c6V/gReualYiQF1xUu/Nb05Fg7nN6MaCrCn UAekhEuH7ze3EHMc+kqwqmWr1MattjkbOwXJI6UB0LarTeqyBYV329q62lS6yAQp 7nNnWhXDurccVEq9/nUe6qaEi+K1KIO/dSY93dE3pY0rLwtOsVQEEy3khwt8XteS UXNPGFuoPa8t8ZSR =bvCH -----END PGP SIGNATURE-----
--- End Message ---
