Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id
<b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.ca...@adam-barratt.org.uk>
and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #956537,
regarding stretch-pu: package php-horde-trean/1.1.7-1+deb9u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
956537: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956537
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Please find attached a proposed debdiff for php-horde-trean. The change
fixes CVE-2020-8865, which the security team has classified as <no-dsa>,
deeming it a minor issue which can be fixed via a point release. I have
prepared this update in coordination with the security team. May I have
permission to upload to stretch-proposed-updates?
Regards,
- -Roberto
- -- System Information:
Debian Release: 10.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TGNIACgkQLNd4Xt2n
sg/PXA//eBCpPGVarX+UZrHqBIgjEAzqc0mPE1pP/M8SQvxidQsmf4/L31ue3BTa
NcOZr2m4MS9jjrbGHhKBGUUX3fMpbuzgof+/Ncp6pvOtpmuz3pi/2UZPECOhQFrf
G5WerCU2aHGbNJlt06FqH7irIf6P+VaaJuhra088sh70AW8lkNpMSjGyBLcT3egT
YtYFxUTz/rKvHTbHJ0Hkpbx9XKxIGh1kA/bUfJCrJLTdLJaQcWiWbWEI+iJuCwCE
lg38y1MMdT9i/3ddiGFRJz+t+AzzAChwt2yNBjXCepA851qHSQNvhUBO0maC9uB8
oBlRWZRkbaEFpKiufs0SSGw7JnQK6eYdyDTnCX18nV63Ul6x6/bv3MU6IKS8TVJM
WDZJqerZy83lOnMuRuxuAHOqPQ2+E24ozaEEsYqeQxxfJgX05jvQDTa4GCqp+HA9
bB7z+eUhVuZOSNyogYWW3xa3NBqFnhl7jMQjcHRb8Uj0HhQu7qdANPdglxk6aIvB
OylBMF4VsO4uwGH2MnEe3rViZ92UjYdOyI4ORb3cr8rByTJgVdEcBF+ZL0b5/6E4
DD8i5arTrkXHmoIyZ7/mJ4REi5iGtcTNG1XsFf/r5qlKjpX3Zm/5L+uzPy0tCNtT
VyNqD7URiqBPAAuoQ+c6/M3z/eTaR7j/Y9jFzc38pT7j/F4Zirc=
=kH0t
-----END PGP SIGNATURE-----
diff -Nru php-horde-trean-1.1.7/debian/changelog
php-horde-trean-1.1.7/debian/changelog
--- php-horde-trean-1.1.7/debian/changelog 2016-12-18 17:01:35.000000000
-0500
+++ php-horde-trean-1.1.7/debian/changelog 2020-04-10 20:32:35.000000000
-0400
@@ -1,3 +1,13 @@
+php-horde-trean (1.1.7-1+deb9u1) stretch; urgency=high
+
+ * Fix CVE-2020-8865:
+ The Horde Application Framework contained a directory traversal
+ vulnerability resulting from insufficient input sanitization. An
+ authenticated remote attacker could use this flaw to execute code in the
+ context of the web server user. (Closes: #955019)
+
+ -- Roberto C. Sanchez <robe...@debian.org> Fri, 10 Apr 2020 20:32:35 -0400
+
php-horde-trean (1.1.7-1) unstable; urgency=medium
* New upstream version 1.1.7
diff -Nru
php-horde-trean-1.1.7/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
php-horde-trean-1.1.7/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
---
php-horde-trean-1.1.7/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
1969-12-31 19:00:00.000000000 -0500
+++
php-horde-trean-1.1.7/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
2020-04-10 20:32:35.000000000 -0400
@@ -0,0 +1,36 @@
+From db0714a0c04d87bda9e2852f1b0d259fc281ca75 Mon Sep 17 00:00:00 2001
+From: Michael J Rubinsky <mrubi...@horde.org>
+Date: Sun, 1 Mar 2020 15:00:46 -0500
+Subject: [PATCH] SECURITY: Fix Directory Traversal Vulerability.
+
+---
+ lib/Block/Bookmarks.php | 2 +-
+ lib/Block/Mostclicked.php | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/trean-1.1.7/lib/Block/Bookmarks.php
b/trean-1.1.7/lib/Block/Bookmarks.php
+index 7027bc3..16c7ba2 100644
+--- a/trean-1.1.7/lib/Block/Bookmarks.php
++++ b/trean-1.1.7/lib/Block/Bookmarks.php
+@@ -68,7 +68,7 @@ protected function _title()
+ */
+ protected function _content()
+ {
+- $template = TREAN_TEMPLATES . '/block/' . $this->_params['template']
. '.inc';
++ $template = TREAN_TEMPLATES . '/block/' .
basename($this->_params['template']) . '.inc';
+
+ $sortby = 'title';
+ $sortdir = 0;
+diff --git a/trean-1.1.7/lib/Block/Mostclicked.php
b/trean-1.1.7/lib/Block/Mostclicked.php
+index ffbc52b..3308110 100644
+--- a/trean-1.1.7/lib/Block/Mostclicked.php
++++ b/trean-1.1.7/lib/Block/Mostclicked.php
+@@ -58,7 +58,7 @@ protected function _title()
+ */
+ protected function _content()
+ {
+- $template = TREAN_TEMPLATES . '/block/' . $this->_params['template']
. '.inc';
++ $template = TREAN_TEMPLATES . '/block/' .
basename($this->_params['template']) . '.inc';
+
+ $html = '';
+ $bookmarks = $GLOBALS['trean_gateway']->listBookmarks('clicks', 1, 0,
$this->_params['rows']);
diff -Nru php-horde-trean-1.1.7/debian/patches/series
php-horde-trean-1.1.7/debian/patches/series
--- php-horde-trean-1.1.7/debian/patches/series 1969-12-31 19:00:00.000000000
-0500
+++ php-horde-trean-1.1.7/debian/patches/series 2020-04-10 20:32:35.000000000
-0400
@@ -0,0 +1 @@
+0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13
Hi,
All of these requests relate to updates that were included in today's
stretch point release.
Regards,
Adam
--- End Message ---
