Your message dated Wed, 29 Nov 2006 18:17:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#400899: fixed in kronolith2 2.1.4-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: kronolith2
Severity: critical
Version: 2.0.0
Tags: security
Apparently, there was a way to force kronolith2 versions 2.1.0 up to
2.1.3 (and 2.0.0 up to 2.0.7) to include an arbitrary file in some
page it serves. Solved by new upstream version. CVE number unknown.
Unknown whether kronolith (1.x) in sarge is similarly vulnerable (that
version is not supported upstream anymore).
--
Lionel
--- Begin Message ---
The Horde Team is pleased to announce the final release of the Kronolith
Calendar Application version H3 (2.1.4).
This is a security release. All users are strongly advised to upgrade as soon
as possible. Thanks to iDefense for the vulnerability report.
Kronolith is the Horde calendar application. It provides web-based calendars
backed by a SQL database or a Kolab server. Supported features include shared
calendars, remote calendars, meeting management, alarms, recurring events, and
a sophisticated day/week view which handles arbitrary numbers of overlapping
events.
Major changes compared to the Kronolith H3 (2.1.3) version are:
* Close arbitrary file inclusion in free/busy views.
The full list of changes (from version H3 (2.1.3)) can be viewed here:
http://cvs.horde.org/diff.php/kronolith/docs/CHANGES?r1=1.165.2.138&r2=1.165.2.142&ty=h
The Kronolith H3 (2.1.4) distribution is available from the following locations:
ftp://ftp.horde.org/pub/kronolith/kronolith-h3-2.1.4.tar.gz
http://ftp.horde.org/pub/kronolith/kronolith-h3-2.1.4.tar.gz
Patches against version H3 (2.1.3) are available at:
ftp://ftp.horde.org/pub/kronolith/patches/patch-kronolith-h3-2.1.3-h3-2.1.4.gz
http://ftp.horde.org/pub/kronolith/patches/patch-kronolith-h3-2.1.3-h3-2.1.4.gz
Or, for quicker access, download from your nearest mirror:
http://www.horde.org/mirrors.php
MD5 sums for the packages are as follows:
df6d6fc99012865b18b089212c7544ad kronolith-h3-2.1.4.tar.gz
b20cd6c44db40649fd98cc2716f1cb47 patch-kronolith-h3-2.1.3-h3-2.1.4.gz
Have fun!
The Horde Team.
--
Horde announcements mailing list
You are subscribed to this list as: [EMAIL PROTECTED]
To unsubscribe, mail: [EMAIL PROTECTED]
--- End Message ---
--- End Message ---
--- Begin Message ---
Source: kronolith2
Source-Version: 2.1.4-1
We believe that the bug you reported is fixed in the latest version of
kronolith2, which is due to be installed in the Debian FTP archive:
kronolith2_2.1.4-1.diff.gz
to pool/main/k/kronolith2/kronolith2_2.1.4-1.diff.gz
kronolith2_2.1.4-1.dsc
to pool/main/k/kronolith2/kronolith2_2.1.4-1.dsc
kronolith2_2.1.4-1_all.deb
to pool/main/k/kronolith2/kronolith2_2.1.4-1_all.deb
kronolith2_2.1.4.orig.tar.gz
to pool/main/k/kronolith2/kronolith2_2.1.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lionel Elie Mamane <[EMAIL PROTECTED]> (supplier of updated kronolith2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.7
Date: Wed, 29 Nov 2006 19:06:01 +0100
Source: kronolith2
Binary: kronolith2
Architecture: source all
Version: 2.1.4-1
Distribution: unstable
Urgency: high
Maintainer: Horde Maintainers <[EMAIL PROTECTED]>
Changed-By: Lionel Elie Mamane <[EMAIL PROTECTED]>
Description:
kronolith2 - calendar component for Horde Framework
Closes: 400899
Changes:
kronolith2 (2.1.4-1) unstable; urgency=high
.
* New upstream release:
- Don't allow access to arbitrary files (closes: #400899)
CVE: unknown
Files:
c49f349820503004a0777bf9e51fd3eb 699 web optional kronolith2_2.1.4-1.dsc
df6d6fc99012865b18b089212c7544ad 1691114 web optional
kronolith2_2.1.4.orig.tar.gz
156ac43e5e8a73c70f64ea7f3a4e1a70 4941 web optional kronolith2_2.1.4-1.diff.gz
041ac3ddf43c5b665227d1479ff356bd 1692634 web optional
kronolith2_2.1.4-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iEYEAREDAAYFAkVtzMYACgkQscRzFz57S3NdtwCgqde7X7CpAlgR7CyRNfEoRnUO
N70AoMvcDbWUMSVN+lx/GUaKGcaZnqg0
=EkHh
-----END PGP SIGNATURE-----
--- End Message ---
