Your message dated Mon, 07 Nov 2005 01:02:07 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#332289: fixed in horde3 3.0.4-4sarge1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 5 Oct 2005 17:16:56 +0000
>From [EMAIL PROTECTED] Wed Oct 05 10:16:56 2005
Return-path: <[EMAIL PROTECTED]>
Received: from dsl254-118-016.nyc1.dsl.speakeasy.net (localhost.localdomain)
[216.254.118.16]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1ENCsy-0003oq-00; Wed, 05 Oct 2005 10:16:56 -0700
Received: from stew by localhost.localdomain with local (Exim 4.52)
id 1ENCsR-00023N-A7; Wed, 05 Oct 2005 13:16:23 -0400
Date: Wed, 5 Oct 2005 13:16:23 -0400
From: Mike O'Connor <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: permissions on /etc/horde/horde3/* are too lax
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Reportbug-Version: 3.17
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Package: horde3
Version: 3.0.5-1
Severity: critical
Tags: security
Justification: root security hole
In the README.Debian, in section 6. it is recommended that the end
user executes:
chown root.www config/*
chmod 0440 config/*
becuase the "Some of Horde's configuration files contain passwords which
local users could use to access your database".
This is somehting that should be done by the maintainer scripts and not
left up to the end user to do.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages horde3 depends on:
ii apache [httpd] 1.3.33-7 versatile, high-performance HTTP s
ii libapache-mod-php4 [phpapi-2 4:4.3.10-15 server-side, HTML-embedded scripti
ii php4 4:4.3.10-15 server-side, HTML-embedded scripti
ii php4-cli [phpapi-20020918] 4:4.3.10-15 command-line interpreter for the p
ii php4-domxml 4:4.3.10-15 XMLv2 module for php4
ii php4-pear 4:4.3.10-15 PEAR - PHP Extension and Applicati
ii php4-pear-log 1.6.0-1.1 Log module for PEAR
Versions of packages horde3 recommends:
ii logrotate 3.7.1-2 Log rotation utility
pn php-date <none> (no description available)
pn php-file <none> (no description available)
pn php-mail-mime <none> (no description available)
pn php-services-weather <none> (no description available)
pn php4-gd | php4-gd2 <none> (no description available)
pn php4-mcrypt <none> (no description available)
pn php4-mysql | php4-pgsql | php <none> (no description available)
-- no debconf information
---------------------------------------
Received: (at 332289-close) by bugs.debian.org; 7 Nov 2005 09:07:00 +0000
>From [EMAIL PROTECTED] Mon Nov 07 01:07:00 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EZ2tD-0003QE-00; Mon, 07 Nov 2005 01:02:07 -0800
From: Ola Lundqvist <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#332289: fixed in horde3 3.0.4-4sarge1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 07 Nov 2005 01:02:07 -0800
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: horde3
Source-Version: 3.0.4-4sarge1
We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:
horde3_3.0.4-4sarge1.diff.gz
to pool/main/h/horde3/horde3_3.0.4-4sarge1.diff.gz
horde3_3.0.4-4sarge1.dsc
to pool/main/h/horde3/horde3_3.0.4-4sarge1.dsc
horde3_3.0.4-4sarge1_all.deb
to pool/main/h/horde3/horde3_3.0.4-4sarge1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ola Lundqvist <[EMAIL PROTECTED]> (supplier of updated horde3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 8 Oct 2005 21:33:40 +0200
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.0.4-4sarge1
Distribution: stable-security
Urgency: high
Maintainer: Ola Lundqvist <[EMAIL PROTECTED]>
Changed-By: Ola Lundqvist <[EMAIL PROTECTED]>
Description:
horde3 - horde web application framework
Closes: 332276 332289 332290
Changes:
horde3 (3.0.4-4sarge1) stable-security; urgency=high
.
* Horde3 disabled by default as the administration/install wizard is a
security hole, closes: #332290, #332289.
CVE-2005-3344
* Removed some crap from the README.Debian file and documented that
horde3 is now disabled by default, closes: #332276.
Files:
cc9b46f4b5a4f4a514ecbc51d9eb3a58 627 web optional horde3_3.0.4-4sarge1.dsc
b0e7fb95efe86aeb42cfd0b478dd312b 6751 web optional horde3_3.0.4-4sarge1.diff.gz
671d10d028345c0cfc133cc0504a2d50 3432038 web optional
horde3_3.0.4-4sarge1_all.deb
e2221d409ba1c8841ce4ecee981d7b61 3378143 web optional horde3_3.0.4.orig.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDbw3cW5ql+IAeqTIRAhtGAKCt1+ooh6nhSISehEuaESv2ug/PKwCfYyib
pflIHuaZYuu7sy1XX7fXGZM=
=yUvi
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
