Your message dated Tue, 30 Jun 2020 09:04:25 +0000 with message-id <e1jqcbl-0001f9...@fasolo.debian.org> and subject line Bug#955019: fixed in php-horde-trean 1.1.10-1 has caused the Debian Bug report #955019, regarding php-horde-trean: CVE-2020-8865 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 955019: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955019 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-horde-trean Version: 1.1.9-4 Severity: important Tags: security upstream Control: found -1 1.1.9-3 Hi, The following vulnerability was published for php-horde-trean. CVE-2020-8865[0]: | This vulnerability allows remote attackers to execute local PHP files | on affected installations of Horde Groupware Webmail Edition 5.2.22. | Authentication is required to exploit this vulnerability. The specific | flaw exists within edit.php. When parsing the params[template] | parameter, the process does not properly validate a user-supplied path | prior to using it in file operations. An attacker can leverage this in | conjunction with other vulnerabilities to execute code in the context | of the www-data user. Was ZDI-CAN-10469. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8865 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8865 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-horde-trean Source-Version: 1.1.10-1 Done: Mike Gabriel <sunwea...@debian.org> We believe that the bug you reported is fixed in the latest version of php-horde-trean, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 955...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel <sunwea...@debian.org> (supplier of updated php-horde-trean package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 30 Jun 2020 10:44:28 +0200 Source: php-horde-trean Architecture: source Version: 1.1.10-1 Distribution: unstable Urgency: medium Maintainer: Horde Maintainers <team+debian-horde-t...@tracker.debian.org> Changed-By: Mike Gabriel <sunwea...@debian.org> Closes: 955019 Changes: php-horde-trean (1.1.10-1) unstable; urgency=medium . [ Juri Grabowski ] * New upstream version 1.1.10 * SECURITY: The Trean application of the Horde Application Framework contained a directory traversal vulnerability (CVE-2020-8865) resulting from insufficient input sanitization. An authenticated remote attacker could use this flaw to execute code in the context of the web server user. (Closes: #955019). . [ Mike Gabriel ] * d/salsa-ci.yml: Add file with salsa-ci.yml and pipeline-jobs.yml calls. * d/control: Bump DH compat level to version 13. * d/control: Add to Uploaders: Juri Grabowski. Checksums-Sha1: b03e50b532a3bb81f2e962e4c8a291eb8a6cd006 2090 php-horde-trean_1.1.10-1.dsc ecd495cf90e5a262e4417bfd6585e901f2fbb2af 664691 php-horde-trean_1.1.10.orig.tar.gz 7cb3d1e0dfca2cae0fce86cb179c48796e25375e 4164 php-horde-trean_1.1.10-1.debian.tar.xz 5909516ca2f5e7e4f2d89c34e5c3e9ab7eb08e93 7059 php-horde-trean_1.1.10-1_source.buildinfo Checksums-Sha256: c835e7d1d23a15130fb6dd76861b0331ae4f1507acda20c874164debcd186f79 2090 php-horde-trean_1.1.10-1.dsc c1a24d64b4a88976005eea21c9e5939572e8e957e159e73698a9a042868738d5 664691 php-horde-trean_1.1.10.orig.tar.gz ea401d05c48e0aed29b152823e65333449a8d9f9f6bffafd29c81333b792de5b 4164 php-horde-trean_1.1.10-1.debian.tar.xz f8763b22092d826c76f96d345f30b6675adb72dbf3d2a51f041c67ee547a77ef 7059 php-horde-trean_1.1.10-1_source.buildinfo Files: fbb831901636eae7ab043ffdd7841b29 2090 php optional php-horde-trean_1.1.10-1.dsc f85a80bef474994f27622beb3563d94c 664691 php optional php-horde-trean_1.1.10.orig.tar.gz 8f732c539bfe4ebf1e8c1d6e6efaf491 4164 php optional php-horde-trean_1.1.10-1.debian.tar.xz 2344708d5c5bfe55c22bc6f91c12b584 7059 php optional php-horde-trean_1.1.10-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl76/FkVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxkfUQAIU/peLlgdD3DwE0pLRtykStMl7w 00Wfw/gPJYcEXbyenzwoKzZasRikbPKZKQDsquQhzag9ZNYJUo/ZCPZ1QXufDOUX gRki6n9stYnNAyn3L/flOrUVachKQ8buVEomk1ZDNwuZ0UboqSRr1jYZHI8NnBLg 7CvTzozzZQs6mfji4nzoqHZ4Q5b4JhH/n3dPCtdS6oaDEEA1bvhBUVqb9ZJDWAy1 Hz2U9gDwsuXAS+yHjsnSeBuP/8oE0wOrDIRgqMA67EzSkrg8OnO818ma7IeFQk7M Bbg8LkgFWhnacd+set89qlNdDckOOWHEZ5M+cYAgvyOCIEh1KqY86S6RvNHzMnLM R/VqvJtEkIEoOfrKGuF8EBEdlXFDcgfsi2oPTzTYk5NDWxYbb6EYUcPndTSNHVAC VlJYL2LEvcoefti+nalVw1P5jkLeBdCZrMq0VaJxTGUCce7GwO0n7FoV4fKK7hwh scVRB+Rj1aZXi8i8SfxB0iTjWePfWA4VuNjK+Wes9HsG8b4De7J+gZ+WFAg3eHNA WVaRFtIp4DV4Ydg4xacbiJLv3+3rTy5TdP9hgCWPZMZ0lZ5bSx9lHcppK4HKM3aB kByKbAaLapPrrPAcUx5JpkUUwsLVVYWmM3j5xnwje2zflCSzkg6B5di1KVGFvxHh iZlt8R0vf3NUWfxv =gJHo -----END PGP SIGNATURE-----
--- End Message ---
