Your message dated Sun, 16 Jul 2006 04:32:20 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#378281: fixed in horde3 3.1.2-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: horde3
Version: 3.0.4-4sarge4 3.1.1-3
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-3548: "Multiple cross-site scripting (XSS) vulnerabilities in
Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through
3.1.1 allow remote attackers to inject arbitrary web script or HTML via
a (1) javascript URI or an external (2) http, (3) https, or (4) ftp URI
in the url parameter in services/go.php (aka the dereferrer), (5) a
javascript URI in the module parameter in services/help (aka the help
viewer), and (6) the name parameter in services/problem.php (aka the
problem reporting screen)."
CVE-2006-3549: "services/go.php in Horde Application Framework 3.0.0
through 3.0.10 and 3.1.0 through 3.1.1 does not properly restrict its
image proxy capability, which allows remote attackers to perform "Web
tunneling" attacks and use the server as a proxy via (1) http, (2)
https, and (3) ftp URL in the url parameter, which is requested from the
server."
These issues are reportedly fixed in 3.1.11 and 3.1.2. The two list
announcements, [1] and [2], may provide more detail, but I can't reach
lists.horde.org now. I believe they are the same as [3] and [4].
Sarge's version is affected.
Please note the CVE numbers in your changelogs.
Thanks,
Alec
[1] http://lists.horde.org/archives/announce/2006/000287.html
[2] http://lists.horde.org/archives/announce/2006/000288.html
[3] http://marc.theaimsgroup.com/?l=horde-announce&m=115211712002671&w=2
[4] http://marc.theaimsgroup.com/?l=horde-announce&m=115211223405498&w=2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEuDLwAud/2YgchcQRAvfJAJ9MmPk+iO2tvHfA2E+aMO6qSJUYHQCfUT7v
wZ9yLl7AAyyHXvaSkttd4FU=
=HKNa
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: horde3
Source-Version: 3.1.2-1
We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:
horde3_3.1.2-1.diff.gz
to pool/main/h/horde3/horde3_3.1.2-1.diff.gz
horde3_3.1.2-1.dsc
to pool/main/h/horde3/horde3_3.1.2-1.dsc
horde3_3.1.2-1_all.deb
to pool/main/h/horde3/horde3_3.1.2-1_all.deb
horde3_3.1.2.orig.tar.gz
to pool/main/h/horde3/horde3_3.1.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lionel Elie Mamane <[EMAIL PROTECTED]> (supplier of updated horde3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.7
Date: Sun, 16 Jul 2006 13:12:10 +0200
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.1.2-1
Distribution: unstable
Urgency: medium
Maintainer: Horde Maintainers <[EMAIL PROTECTED]>
Changed-By: Lionel Elie Mamane <[EMAIL PROTECTED]>
Description:
horde3 - horde web application framework
Closes: 357377 373235 376526 378281
Changes:
horde3 (3.1.2-1) unstable; urgency=medium
.
* New upstream release.
One of the following is true:
- This release fixes security problems CVE-2006-3549 and CVE-2006-3548
- These security problems were already fixed in the past in the Debian
branch.
- These security problems were already partially fixed in the past in
the Debian version and this release mops up the rest.
In all cases, closes: #378281
* Tweak README.Debian and example config a bit (closes: #373235)
* Make the PHP tempdir configurable instead of hardcoded in the weekly
cleanup script (closes: #376526)
* Put the CREDITS file where the online help viewer expects it
(closes: #357377)
* Bump up Standards-Version
Files:
0149ab05e7d45a8cb3a91cd91090d1f6 684 web optional horde3_3.1.2-1.dsc
2c1f3e5759fa6bca07483d584151771f 5176353 web optional horde3_3.1.2.orig.tar.gz
d53a26168741dff8e5824cbae9bb7ba2 9785 web optional horde3_3.1.2-1.diff.gz
f4619366aaa6c501215cb22e8dcb225c 5197674 web optional horde3_3.1.2-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iEYEAREDAAYFAkS6H7sACgkQscRzFz57S3OVvACfbs5iC3AblxTjnh8k3VlngAhz
888AoPO098hkxwEs05LUCtFmJpiDpEIH
=aILs
-----END PGP SIGNATURE-----
--- End Message ---
