Bug#464058: marked as done (turba2: Access rights not checked properly)
Your message dated Sat, 26 Jul 2008 09:58:04 + with message-id [EMAIL PROTECTED] and subject line Bug#464058: fixed in turba2 2.1.3-1etch1 has caused the Debian Bug report #464058, regarding turba2: Access rights not checked properly to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 464058: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems ---BeginMessage--- Package: turba2 Version: 2.1.3-1 Severity: normal Access rights do not seem to be checked properly before allowing a user to edit address data as illustrated in the following example: A user adds an address from his or her personal addressbook to a contact list in a shared address book. Now anybody who has write access to the shared address book can also edit this person's address data in the user's personal addressbook. In fact, after manually entering an object_id (which I looked up in the database) from somebody else's address book I found I could edit this data as well. So it seems that when edit.php is passed an object_id, the owner_id and the requesting user's access rights to the addressbook that the owner_id refers to aren't checked. Apparantly knowing the object_id is enough to be able to edit any address! I guess this is left over from the time address books couldn't be shared yet, based on the assumption that people wouldn't be able to guess the pseudo random 32 character id's. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) ---End Message--- ---BeginMessage--- Source: turba2 Source-Version: 2.1.3-1etch1 We believe that the bug you reported is fixed in the latest version of turba2, which is due to be installed in the Debian FTP archive: turba2_2.1.3-1etch1.diff.gz to pool/main/t/turba2/turba2_2.1.3-1etch1.diff.gz turba2_2.1.3-1etch1.dsc to pool/main/t/turba2/turba2_2.1.3-1etch1.dsc turba2_2.1.3-1etch1_all.deb to pool/main/t/turba2/turba2_2.1.3-1etch1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Gregory Colpart (evolix) [EMAIL PROTECTED] (supplier of updated turba2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Thu, 21 Feb 2008 02:17:51 +0100 Source: turba2 Binary: turba2 Architecture: source all Version: 2.1.3-1etch1 Distribution: stable-security Urgency: high Maintainer: Horde Maintainers [EMAIL PROTECTED] Changed-By: Gregory Colpart (evolix) [EMAIL PROTECTED] Description: turba2 - contact management component for horde framework Closes: 464058 Changes: turba2 (2.1.3-1etch1) stable-security; urgency=high . * Fix unchecked access to contacts in the same SQL table, if the unique key of another user's contact can be guessed. See CVE-2008-0807 for more informations. (Closes: #464058) * Fix privilege escalation in the Horde API. Files: 0aa309ef908c6ab95b62fa6fbb97d7c5 722 web optional turba2_2.1.3-1etch1.dsc a0407717f3f64fb33f6a57e2244a12b4 1790717 web optional turba2_2.1.3.orig.tar.gz fcef7709711274ebf26b99e3032f4e7e 7434 web optional turba2_2.1.3-1etch1.diff.gz 0fb704f257a5d583196e10de104289f0 1860044 web optional turba2_2.1.3-1etch1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHveA2wM/Gs81MDZ0RAix7AKCzys545lPRKunQOBRxfpwhexu57gCgo2JA zzSijNzt4cddZ5aEeOzhFv4= =8IVv -END PGP SIGNATURE- ---End Message---
Bug#464058: marked as done (turba2: Access rights not checked properly)
Your message dated Sat, 12 Apr 2008 07:52:38 + with message-id [EMAIL PROTECTED] and subject line Bug#464058: fixed in turba2 2.1.3-1etch1 has caused the Debian Bug report #464058, regarding turba2: Access rights not checked properly to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 464058: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems ---BeginMessage--- Package: turba2 Version: 2.1.3-1 Severity: normal Access rights do not seem to be checked properly before allowing a user to edit address data as illustrated in the following example: A user adds an address from his or her personal addressbook to a contact list in a shared address book. Now anybody who has write access to the shared address book can also edit this person's address data in the user's personal addressbook. In fact, after manually entering an object_id (which I looked up in the database) from somebody else's address book I found I could edit this data as well. So it seems that when edit.php is passed an object_id, the owner_id and the requesting user's access rights to the addressbook that the owner_id refers to aren't checked. Apparantly knowing the object_id is enough to be able to edit any address! I guess this is left over from the time address books couldn't be shared yet, based on the assumption that people wouldn't be able to guess the pseudo random 32 character id's. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) ---End Message--- ---BeginMessage--- Source: turba2 Source-Version: 2.1.3-1etch1 We believe that the bug you reported is fixed in the latest version of turba2, which is due to be installed in the Debian FTP archive: turba2_2.1.3-1etch1.diff.gz to pool/main/t/turba2/turba2_2.1.3-1etch1.diff.gz turba2_2.1.3-1etch1.dsc to pool/main/t/turba2/turba2_2.1.3-1etch1.dsc turba2_2.1.3-1etch1_all.deb to pool/main/t/turba2/turba2_2.1.3-1etch1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Gregory Colpart (evolix) [EMAIL PROTECTED] (supplier of updated turba2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Thu, 21 Feb 2008 02:17:51 +0100 Source: turba2 Binary: turba2 Architecture: source all Version: 2.1.3-1etch1 Distribution: stable-security Urgency: high Maintainer: Horde Maintainers [EMAIL PROTECTED] Changed-By: Gregory Colpart (evolix) [EMAIL PROTECTED] Description: turba2 - contact management component for horde framework Closes: 464058 Changes: turba2 (2.1.3-1etch1) stable-security; urgency=high . * Fix unchecked access to contacts in the same SQL table, if the unique key of another user's contact can be guessed. See CVE-2008-0807 for more informations. (Closes: #464058) * Fix privilege escalation in the Horde API. Files: 0aa309ef908c6ab95b62fa6fbb97d7c5 722 web optional turba2_2.1.3-1etch1.dsc a0407717f3f64fb33f6a57e2244a12b4 1790717 web optional turba2_2.1.3.orig.tar.gz fcef7709711274ebf26b99e3032f4e7e 7434 web optional turba2_2.1.3-1etch1.diff.gz 0fb704f257a5d583196e10de104289f0 1860044 web optional turba2_2.1.3-1etch1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHveA2wM/Gs81MDZ0RAix7AKCzys545lPRKunQOBRxfpwhexu57gCgo2JA zzSijNzt4cddZ5aEeOzhFv4= =8IVv -END PGP SIGNATURE- ---End Message---
Bug#464058: marked as done (turba2: Access rights not checked properly)
Your message dated Sat, 12 Apr 2008 17:54:59 + with message-id [EMAIL PROTECTED] and subject line Bug#464058: fixed in turba2 2.0.2-1sarge1 has caused the Debian Bug report #464058, regarding turba2: Access rights not checked properly to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 464058: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems ---BeginMessage--- Package: turba2 Version: 2.1.3-1 Severity: normal Access rights do not seem to be checked properly before allowing a user to edit address data as illustrated in the following example: A user adds an address from his or her personal addressbook to a contact list in a shared address book. Now anybody who has write access to the shared address book can also edit this person's address data in the user's personal addressbook. In fact, after manually entering an object_id (which I looked up in the database) from somebody else's address book I found I could edit this data as well. So it seems that when edit.php is passed an object_id, the owner_id and the requesting user's access rights to the addressbook that the owner_id refers to aren't checked. Apparantly knowing the object_id is enough to be able to edit any address! I guess this is left over from the time address books couldn't be shared yet, based on the assumption that people wouldn't be able to guess the pseudo random 32 character id's. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) ---End Message--- ---BeginMessage--- Source: turba2 Source-Version: 2.0.2-1sarge1 We believe that the bug you reported is fixed in the latest version of turba2, which is due to be installed in the Debian FTP archive: turba2_2.0.2-1sarge1.diff.gz to pool/main/t/turba2/turba2_2.0.2-1sarge1.diff.gz turba2_2.0.2-1sarge1.dsc to pool/main/t/turba2/turba2_2.0.2-1sarge1.dsc turba2_2.0.2-1sarge1_all.deb to pool/main/t/turba2/turba2_2.0.2-1sarge1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Gregory Colpart (evolix) [EMAIL PROTECTED] (supplier of updated turba2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Thu, 21 Feb 2008 02:17:37 +0100 Source: turba2 Binary: turba2 Architecture: source all Version: 2.0.2-1sarge1 Distribution: oldstable-security Urgency: high Maintainer: Ola Lundqvist [EMAIL PROTECTED] Changed-By: Gregory Colpart (evolix) [EMAIL PROTECTED] Description: turba2 - contact management component for horde framework Closes: 464058 Changes: turba2 (2.0.2-1sarge1) oldstable-security; urgency=high . * Fix unchecked access to contacts in the same SQL table, if the unique key of another user's contact can be guessed. See CVE-2008-0807 for more informations. (Closes: #464058) * Fix privilege escalation in Horde API. * Close several XSS vulnerabilities with address book and contact data. Files: 78ef803c5a5c3c0564ddd8b23a96da4d 626 web optional turba2_2.0.2-1sarge1.dsc 43381a9620d08ad17758fc533e865db3 1221378 web optional turba2_2.0.2.orig.tar.gz 8ccfd8d4f1886141a916d706217d8a73 8049 web optional turba2_2.0.2-1sarge1.diff.gz ee4a5791cb7b942305f9095b9b3ae697 1282950 web optional turba2_2.0.2-1sarge1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHvd+9wM/Gs81MDZ0RAqHaAKC7uu/8TNn6rBQDFeccDMhHAsjFZACggpZE GxcN9VEj5Cuf6oRyGAjg6JE= =Wd+H -END PGP SIGNATURE- ---End Message---
Bug#464058: marked as done (turba2: Access rights not checked properly)
Your message dated Thu, 28 Feb 2008 07:52:16 + with message-id [EMAIL PROTECTED] and subject line Bug#464058: fixed in turba2 2.0.2-1sarge1 has caused the Debian Bug report #464058, regarding turba2: Access rights not checked properly to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 464058: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems ---BeginMessage--- Package: turba2 Version: 2.1.3-1 Severity: normal Access rights do not seem to be checked properly before allowing a user to edit address data as illustrated in the following example: A user adds an address from his or her personal addressbook to a contact list in a shared address book. Now anybody who has write access to the shared address book can also edit this person's address data in the user's personal addressbook. In fact, after manually entering an object_id (which I looked up in the database) from somebody else's address book I found I could edit this data as well. So it seems that when edit.php is passed an object_id, the owner_id and the requesting user's access rights to the addressbook that the owner_id refers to aren't checked. Apparantly knowing the object_id is enough to be able to edit any address! I guess this is left over from the time address books couldn't be shared yet, based on the assumption that people wouldn't be able to guess the pseudo random 32 character id's. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) ---End Message--- ---BeginMessage--- Source: turba2 Source-Version: 2.0.2-1sarge1 We believe that the bug you reported is fixed in the latest version of turba2, which is due to be installed in the Debian FTP archive: turba2_2.0.2-1sarge1.diff.gz to pool/main/t/turba2/turba2_2.0.2-1sarge1.diff.gz turba2_2.0.2-1sarge1.dsc to pool/main/t/turba2/turba2_2.0.2-1sarge1.dsc turba2_2.0.2-1sarge1_all.deb to pool/main/t/turba2/turba2_2.0.2-1sarge1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Gregory Colpart (evolix) [EMAIL PROTECTED] (supplier of updated turba2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Thu, 21 Feb 2008 02:17:37 +0100 Source: turba2 Binary: turba2 Architecture: source all Version: 2.0.2-1sarge1 Distribution: oldstable-security Urgency: high Maintainer: Ola Lundqvist [EMAIL PROTECTED] Changed-By: Gregory Colpart (evolix) [EMAIL PROTECTED] Description: turba2 - contact management component for horde framework Closes: 464058 Changes: turba2 (2.0.2-1sarge1) oldstable-security; urgency=high . * Fix unchecked access to contacts in the same SQL table, if the unique key of another user's contact can be guessed. See CVE-2008-0807 for more informations. (Closes: #464058) * Fix privilege escalation in Horde API. * Close several XSS vulnerabilities with address book and contact data. Files: 78ef803c5a5c3c0564ddd8b23a96da4d 626 web optional turba2_2.0.2-1sarge1.dsc 43381a9620d08ad17758fc533e865db3 1221378 web optional turba2_2.0.2.orig.tar.gz 8ccfd8d4f1886141a916d706217d8a73 8049 web optional turba2_2.0.2-1sarge1.diff.gz ee4a5791cb7b942305f9095b9b3ae697 1282950 web optional turba2_2.0.2-1sarge1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHvd+9wM/Gs81MDZ0RAqHaAKC7uu/8TNn6rBQDFeccDMhHAsjFZACggpZE GxcN9VEj5Cuf6oRyGAjg6JE= =Wd+H -END PGP SIGNATURE- ---End Message---
Bug#464058: marked as done (turba2: Access rights not checked properly)
Your message dated Sun, 17 Feb 2008 11:32:07 + with message-id [EMAIL PROTECTED] and subject line Bug#464058: fixed in turba2 2.1.7-1 has caused the Debian Bug report #464058, regarding turba2: Access rights not checked properly to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 464058: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems ---BeginMessage--- Package: turba2 Version: 2.1.3-1 Severity: normal Access rights do not seem to be checked properly before allowing a user to edit address data as illustrated in the following example: A user adds an address from his or her personal addressbook to a contact list in a shared address book. Now anybody who has write access to the shared address book can also edit this person's address data in the user's personal addressbook. In fact, after manually entering an object_id (which I looked up in the database) from somebody else's address book I found I could edit this data as well. So it seems that when edit.php is passed an object_id, the owner_id and the requesting user's access rights to the addressbook that the owner_id refers to aren't checked. Apparantly knowing the object_id is enough to be able to edit any address! I guess this is left over from the time address books couldn't be shared yet, based on the assumption that people wouldn't be able to guess the pseudo random 32 character id's. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) ---End Message--- ---BeginMessage--- Source: turba2 Source-Version: 2.1.7-1 We believe that the bug you reported is fixed in the latest version of turba2, which is due to be installed in the Debian FTP archive: turba2_2.1.7-1.diff.gz to pool/main/t/turba2/turba2_2.1.7-1.diff.gz turba2_2.1.7-1.dsc to pool/main/t/turba2/turba2_2.1.7-1.dsc turba2_2.1.7-1_all.deb to pool/main/t/turba2/turba2_2.1.7-1_all.deb turba2_2.1.7.orig.tar.gz to pool/main/t/turba2/turba2_2.1.7.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Gregory Colpart (evolix) [EMAIL PROTECTED] (supplier of updated turba2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Sat, 16 Feb 2008 22:12:25 +0100 Source: turba2 Binary: turba2 Architecture: source all Version: 2.1.7-1 Distribution: unstable Urgency: high Maintainer: Horde Maintainers [EMAIL PROTECTED] Changed-By: Gregory Colpart (evolix) [EMAIL PROTECTED] Description: turba2 - contact management component for horde framework Closes: 464058 Changes: turba2 (2.1.7-1) unstable; urgency=high . * New upstream release. * This release adds restrictions to ensure you can't edit another user's contact in the same SQL backend table if you guess the id. (Closes: #464058). * Use now Vcs-* fields in debian/control. * Put the CREDITS file where the online help viewer expects it (See #357377). * Update to standards version 3.7.3, no further required changes. * Bump debhelper compat level to 5. * Add Homepage field. Files: 44b6b2ced9d91a8f5d04da290b50d1df 933 web optional turba2_2.1.7-1.dsc 9cde9a44239c852211204112f3d6edfe 1868115 web optional turba2_2.1.7.orig.tar.gz f6cbcffb54481db79f6176ced24a83b7 6528 web optional turba2_2.1.7-1.diff.gz d9448f11c1f8615a29af9222d3e17ba8 1928648 web optional turba2_2.1.7-1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHuBn3GKGxzw/lPdkRAm6OAJ4qywxIYZBGcsyTmkVXZFKvCaGyBQCfacXt UdqLgy5ir1FdSkwwlyoT/+I= =4uE1 -END PGP SIGNATURE- ---End Message---