Your message dated Sat, 09 May 2020 11:53:52 +0100
with message-id
<fd7fa4d56896c35aab49a5a51cb69727dc60e87a.ca...@adam-barratt.org.uk>
and subject line Closing requests included in 10.4 point release
has caused the Debian Bug report #956536,
regarding buster-pu: package php-horde-trean/1.1.9-3+deb10u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
956536: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956536
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Please find attached a proposed debdiff for php-horde-trean. The change
fixes CVE-2020-8865, which the security team has classified as <no-dsa>,
deeming it a minor issue which can be fixed via a point release. I have
prepared this update in coordination with the security team. May I have
permission to upload to buster-proposed-updates?
Regards,
- -Roberto
- -- System Information:
Debian Release: 10.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TGLQACgkQLNd4Xt2n
sg+eqhAAqWuNkW46Mo1KX8bV/2JEcMEG4MizjeX+/+N5J5IG+P4ICHC9GXQ0Qj+L
u1TrdqUyBN8gJXZ5ncQeDBGNMIEwCZHg9SNtAafNCIzL23cYXsOIIlDTNfq/fI6T
vjuypjdNR4TQ1XwZM6XEUOxRoktlzHjJDg3UDunk9Ny4K+weXbPvsCL3UVTOmSqu
XqWF/jR0lvi3IYLVTYqAYpJJuGifGU31+V4F8LCzJptNjjhBlFnaRfAVTCjQ1Tmj
YyAzn//MxByoSrmjvG9xA7OP+1bXPSTAQvHiAW7mMyCkcR4ItRy86LrQz5wVrGRt
BXTX3MMHuPnjPx8qM+TkBwzHwyvR2iqB7sjoJQALiLzqLjlmZF2XRtSDf0aKqR0k
ub7n4kd39pHGmc+QhIRY++EmHQCT+dj2y9KtGWrEkWLVRs2u2Q4UzG+yppxPSovH
LC36148/jPtmuaJbCPgbmJ7hBktQCyLFChsC5RuDJS2Gk9WietCVeQ1is0A077GJ
hE0di33hHWN9LhGkmAF0t/J8ez4QViuZq73ddQQxrXry4Ywl3xmhaVtGDIfXEqWQ
8PNmajSQrqJ8Z7x1w4BX98SZ5NGQXt/v9ke/YKQaW9s/ntBZofjzA75LVHUEsvyV
VvJBTx4AJ1pKZwYyInDwogRh3A5sx5Mr3wpQOHnFZUNWPlHwMNI=
=sfm+
-----END PGP SIGNATURE-----
diff -Nru php-horde-trean-1.1.9/debian/changelog
php-horde-trean-1.1.9/debian/changelog
--- php-horde-trean-1.1.9/debian/changelog 2018-05-15 10:52:05.000000000
-0400
+++ php-horde-trean-1.1.9/debian/changelog 2020-04-10 20:31:30.000000000
-0400
@@ -1,3 +1,13 @@
+php-horde-trean (1.1.9-3+deb10u1) buster; urgency=high
+
+ * Fix CVE-2020-8865:
+ The Horde Application Framework contained a directory traversal
+ vulnerability resulting from insufficient input sanitization. An
+ authenticated remote attacker could use this flaw to execute code in the
+ context of the web server user. (Closes: #955019)
+
+ -- Roberto C. Sanchez <robe...@debian.org> Fri, 10 Apr 2020 20:31:30 -0400
+
php-horde-trean (1.1.9-3) unstable; urgency=medium
* Update Standards-Version to 4.1.4, no change
diff -Nru
php-horde-trean-1.1.9/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
php-horde-trean-1.1.9/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
---
php-horde-trean-1.1.9/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
1969-12-31 19:00:00.000000000 -0500
+++
php-horde-trean-1.1.9/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
2020-04-10 20:31:30.000000000 -0400
@@ -0,0 +1,36 @@
+From db0714a0c04d87bda9e2852f1b0d259fc281ca75 Mon Sep 17 00:00:00 2001
+From: Michael J Rubinsky <mrubi...@horde.org>
+Date: Sun, 1 Mar 2020 15:00:46 -0500
+Subject: [PATCH] SECURITY: Fix Directory Traversal Vulerability.
+
+---
+ lib/Block/Bookmarks.php | 2 +-
+ lib/Block/Mostclicked.php | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/trean-1.1.9/lib/Block/Bookmarks.php
b/trean-1.1.9/lib/Block/Bookmarks.php
+index 7027bc3..16c7ba2 100644
+--- a/trean-1.1.9/lib/Block/Bookmarks.php
++++ b/trean-1.1.9/lib/Block/Bookmarks.php
+@@ -68,7 +68,7 @@ protected function _title()
+ */
+ protected function _content()
+ {
+- $template = TREAN_TEMPLATES . '/block/' . $this->_params['template']
. '.inc';
++ $template = TREAN_TEMPLATES . '/block/' .
basename($this->_params['template']) . '.inc';
+
+ $sortby = 'title';
+ $sortdir = 0;
+diff --git a/trean-1.1.9/lib/Block/Mostclicked.php
b/trean-1.1.9/lib/Block/Mostclicked.php
+index ffbc52b..3308110 100644
+--- a/trean-1.1.9/lib/Block/Mostclicked.php
++++ b/trean-1.1.9/lib/Block/Mostclicked.php
+@@ -58,7 +58,7 @@ protected function _title()
+ */
+ protected function _content()
+ {
+- $template = TREAN_TEMPLATES . '/block/' . $this->_params['template']
. '.inc';
++ $template = TREAN_TEMPLATES . '/block/' .
basename($this->_params['template']) . '.inc';
+
+ $html = '';
+ $bookmarks = $GLOBALS['trean_gateway']->listBookmarks('clicks', 1, 0,
$this->_params['rows']);
diff -Nru php-horde-trean-1.1.9/debian/patches/series
php-horde-trean-1.1.9/debian/patches/series
--- php-horde-trean-1.1.9/debian/patches/series 1969-12-31 19:00:00.000000000
-0500
+++ php-horde-trean-1.1.9/debian/patches/series 2020-04-10 20:31:30.000000000
-0400
@@ -0,0 +1 @@
+0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.4
Hi,
Each of the uploads referred to by these bugs was included in today's
stable point release.
Regards,
Adam
--- End Message ---
