Your message dated Sat, 25 Apr 2020 18:17:24 +0000 with message-id <e1jspmi-0000ms...@fasolo.debian.org> and subject line Bug#955019: fixed in php-horde-trean 1.1.7-1+deb9u1 has caused the Debian Bug report #955019, regarding php-horde-trean: CVE-2020-8865 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 955019: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955019 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-horde-trean Version: 1.1.9-4 Severity: important Tags: security upstream Control: found -1 1.1.9-3 Hi, The following vulnerability was published for php-horde-trean. CVE-2020-8865[0]: | This vulnerability allows remote attackers to execute local PHP files | on affected installations of Horde Groupware Webmail Edition 5.2.22. | Authentication is required to exploit this vulnerability. The specific | flaw exists within edit.php. When parsing the params[template] | parameter, the process does not properly validate a user-supplied path | prior to using it in file operations. An attacker can leverage this in | conjunction with other vulnerabilities to execute code in the context | of the www-data user. Was ZDI-CAN-10469. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8865 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8865 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-horde-trean Source-Version: 1.1.7-1+deb9u1 Done: robe...@debian.org (Roberto C. Sanchez) We believe that the bug you reported is fixed in the latest version of php-horde-trean, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 955...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Roberto C. Sanchez <robe...@debian.org> (supplier of updated php-horde-trean package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 10 Apr 2020 20:32:35 -0400 Source: php-horde-trean Binary: php-horde-trean Architecture: source Version: 1.1.7-1+deb9u1 Distribution: stretch Urgency: high Maintainer: Horde Maintainers <pkg-horde-hack...@lists.alioth.debian.org> Changed-By: Roberto C. Sanchez <robe...@debian.org> Description: php-horde-trean - ${phppear:summary} Closes: 955019 Changes: php-horde-trean (1.1.7-1+deb9u1) stretch; urgency=high . * Fix CVE-2020-8865: The Horde Application Framework contained a directory traversal vulnerability resulting from insufficient input sanitization. An authenticated remote attacker could use this flaw to execute code in the context of the web server user. (Closes: #955019) Checksums-Sha1: 7b6ae903616fb9da3b06a83c1bcc2dfc98019acc 2061 php-horde-trean_1.1.7-1+deb9u1.dsc 67c047a148e6d2896ba2827a1f1e56bbebde21ce 658190 php-horde-trean_1.1.7.orig.tar.gz 6357fca29bfac7cc160aa583c3e52638aeddda0a 3760 php-horde-trean_1.1.7-1+deb9u1.debian.tar.xz 324fc4294b203dc03b9fbb14ce7c629992332f46 6240 php-horde-trean_1.1.7-1+deb9u1_amd64.buildinfo Checksums-Sha256: 29f53d62f600432a6bdb6af9cc33819724b19e091cdc6a75a55abb01aa50758d 2061 php-horde-trean_1.1.7-1+deb9u1.dsc 9c279c7c8b5f555829e140788cfdbf1f7bfe0dddeb74c0c6d723289b48b110d6 658190 php-horde-trean_1.1.7.orig.tar.gz 7a2ccf8ce3287252cedf0b8b17415e8d72b7ebd54db84fcc031b265bfa9b11b8 3760 php-horde-trean_1.1.7-1+deb9u1.debian.tar.xz a1e021e3ea2f69ab5e663b24f0c2adb7178a7e345522a11974f953c97ff3a4c6 6240 php-horde-trean_1.1.7-1+deb9u1_amd64.buildinfo Files: c4958f860492209ac2e118158b7009e7 2061 php extra php-horde-trean_1.1.7-1+deb9u1.dsc b9c45b8385f44471c81af5dba9161de0 658190 php extra php-horde-trean_1.1.7.orig.tar.gz e193d55e344d7fa1924cacf92243f909 3760 php extra php-horde-trean_1.1.7-1+deb9u1.debian.tar.xz a27ace71c0965f4386b37809e3019dfb 6240 php extra php-horde-trean_1.1.7-1+deb9u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TFJsACgkQLNd4Xt2n sg9N7g//e+Um++F2D/M3xnUMoIRzjrfQBpebQddCPgmtdEBf1qzMmKLJNyTK7mF4 AgGcuv/2ZSwxeOS1tY6YxJbCgzu6PPcHVZv7le6+aYtj5etHYCNHWifJatCjA8mB gbNW+q7EdJJIhDUyH1tGlkOiHU51mo2jqemsQaUQir3f0p45RNi/8p6GLw8Ym+KT jE6SXfYsXN5AnrbCBY8jxJuFnulV7v/LjxwfLesV9U9vHci/k4N7HewiDasm6qWY C0PCiIqL5SmhAL19efE600J01Ua/F0eOzxN9/h0PgRCAm7uF8RZqa9G06JCGy9Ye xyzC1HZVtsCPr5W3zv7ytsgy7E3G2H8eTN7WZ+FKOKkaWIacQ3jl3wy+n+Z49bVl Z61tjv+X2ON3LAuifg1LjRxy1BzIHr3cON0HgqJodeYN7d5WTqyuwrz7TyFBd4jo 79FEXHlmf2835FkSIRZxtu6fO8O2DK0IHrCXfovwn/nNeu0ViPBEXoHW2pG3La97 L3iuCFzgiJ6FymJ4FpnYMo1WSPRbGz/GTLmkOVewfcbyYAkemcF1tFNMP4krwW1d z+bDi4ALh32nmc5YiKkiEQqyZXUnlXl9ipitAumBNbHwPKjE8OdmyrpmrtLuhJz0 AS3k+p3Jzf3Cwn3+/J8aQ7OAhloVxwtC5yE6mSQ5457WFp9RVQM= =vP0J -----END PGP SIGNATURE-----
--- End Message ---
