Bug#955020: marked as done (php-horde-form: CVE-2020-8866)
Your message dated Tue, 30 Jun 2020 09:04:19 + with message-id and subject line Bug#955020: fixed in php-horde-form 2.0.20-1 has caused the Debian Bug report #955020, regarding php-horde-form: CVE-2020-8866 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 955020: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955020 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: php-horde-form Version: 2.0.19-1 Severity: important Tags: security upstream Control: found -1 2.0.18-3.1 Control: found -1 2.0.15-1+deb9u1 Control: found -1 2.0.15-1 Hi, The following vulnerability was published for php-horde-form. CVE-2020-8866[0]: | This vulnerability allows remote attackers to create arbitrary files | on affected installations of Horde Groupware Webmail Edition 5.2.22. | Authentication is required to exploit this vulnerability. The specific | flaw exists within add.php. The issue results from the lack of proper | validation of user-supplied data, which can allow the upload of | arbitrary files. An attacker can leverage this in conjunction with | other vulnerabilities to execute code in the context of the www-data | user. Was ZDI-CAN-10125. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8866 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8866 Regards, Salvatore --- End Message --- --- Begin Message --- Source: php-horde-form Source-Version: 2.0.20-1 Done: Mike Gabriel We believe that the bug you reported is fixed in the latest version of php-horde-form, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 955...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel (supplier of updated php-horde-form package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 30 Jun 2020 10:36:20 +0200 Source: php-horde-form Architecture: source Version: 2.0.20-1 Distribution: unstable Urgency: medium Maintainer: Horde Maintainers Changed-By: Mike Gabriel Closes: 955020 Changes: php-horde-form (2.0.20-1) unstable; urgency=medium . [ Juri Grabowski ] * New upstream version 2.0.20 * SECURITY: Prevent ability to specify temporary filename (CVE-2020-8866) (Closes: #955020). . [ Mike Gabriel ] * d/salsa-ci.yml: Add file with salsa-ci.yml and pipeline-jobs.yml calls. * d/control: Bump DH compat level to version 13. * d/control: Add to Uploaders: Juri Grabowski. Checksums-Sha1: af5162b88ec4318ab69db428b36ebda4a94180a7 2063 php-horde-form_2.0.20-1.dsc fa7b0bb1c927176c54c38cf94b886e6291c84cad 198229 php-horde-form_2.0.20.orig.tar.gz ad0747258858e8623ea6eb14370b16e57d414b03 3368 php-horde-form_2.0.20-1.debian.tar.xz dfcbeabbba8264ae4a7573fecd19083be7b15b17 7024 php-horde-form_2.0.20-1_source.buildinfo Checksums-Sha256: f3945070f3b2ee8590ae3b59977076debf7398fc82c45b552e02f7c310bc6790 2063 php-horde-form_2.0.20-1.dsc dc2c993464d7f192c938cfbb4cbe9630bce6d23ce141a0a52efb83a71b99e177 198229 php-horde-form_2.0.20.orig.tar.gz 70f21b9803a04088f7aad3edbe64c6234991bb749d5ba5df9bb00c8ae9e3d682 3368 php-horde-form_2.0.20-1.debian.tar.xz 28de4848d620b05c9dce02a8aea9a0998ecb8f4e6d62538923e1b1d6d6634ace 7024 php-horde-form_2.0.20-1_source.buildinfo Files: 8b4434af56523a74cb0dade900cc697b 2063 php optional php-horde-form_2.0.20-1.dsc 6a7a2b3d5c7163fe68b0587aaeef6361 198229 php optional php-horde-form_2.0.20.orig.tar.gz 3dcd1c2b70f54a775a68ad08a98c81ae 3368 php optional php-horde-form_2.0.20-1.debian.tar.xz ce7863a7a0d959101ef378496e5ae61c 7024 php optional php-horde-form_2.0.20-1_source.buildinfo -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl76+aQVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxB9YQAJU1FYbED48AZCofeDmtqTSG9/vc 02PWbrpXE6l5jTooFHg6oIKXJeIuUsI8I8Sk8BYO3KT0Z5b/yfvQMbN8Y2x+MZo2 WnHbyS/rk2E2C2BZgb/WSRocjZnguWr5VtHPg1MIJtv445bvO7gY8S+5uCO1jV3q efElXd+uu+SR9kzgfvLy5NHQR6UTx2bRwuhkjOtpYVq8H2pAoQTBpDBWhIkrZ0Mi
Bug#955020: marked as done (php-horde-form: CVE-2020-8866)
Your message dated Sat, 25 Apr 2020 15:17:26 +
with message-id
and subject line Bug#955020: fixed in php-horde-form 2.0.15-1+deb9u2
has caused the Debian Bug report #955020,
regarding php-horde-form: CVE-2020-8866
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
955020: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955020
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: php-horde-form
Version: 2.0.19-1
Severity: important
Tags: security upstream
Control: found -1 2.0.18-3.1
Control: found -1 2.0.15-1+deb9u1
Control: found -1 2.0.15-1
Hi,
The following vulnerability was published for php-horde-form.
CVE-2020-8866[0]:
| This vulnerability allows remote attackers to create arbitrary files
| on affected installations of Horde Groupware Webmail Edition 5.2.22.
| Authentication is required to exploit this vulnerability. The specific
| flaw exists within add.php. The issue results from the lack of proper
| validation of user-supplied data, which can allow the upload of
| arbitrary files. An attacker can leverage this in conjunction with
| other vulnerabilities to execute code in the context of the www-data
| user. Was ZDI-CAN-10125.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-8866
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8866
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: php-horde-form
Source-Version: 2.0.15-1+deb9u2
Done: robe...@debian.org (Roberto C. Sanchez)
We believe that the bug you reported is fixed in the latest version of
php-horde-form, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 955...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roberto C. Sanchez (supplier of updated php-horde-form
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Tue, 24 Mar 2020 13:54:47 -0400
Source: php-horde-form
Binary: php-horde-form
Architecture: source
Version: 2.0.15-1+deb9u2
Distribution: stretch
Urgency: high
Maintainer: Horde Maintainers
Changed-By: Roberto C. Sanchez
Description:
php-horde-form - ${phppear:summary}
Closes: 955020
Changes:
php-horde-form (2.0.15-1+deb9u2) stretch; urgency=high
.
* Fix CVE-2020-8866:
The Horde Application Framework contained a remote code execution
vulnerability. An authenticated remote attacker could use this flaw to
upload arbitrary content to an arbitrary writable location on the server
and potentially execute code in the context of the web server user.
(Closes: #955020)
Checksums-Sha1:
d60d62a4780290e180e7d9190d9cee566fea1a06 2041
php-horde-form_2.0.15-1+deb9u2.dsc
d9fab15615b703171abbca2b4d7cb906a2e170e2 3648
php-horde-form_2.0.15-1+deb9u2.debian.tar.xz
0398eb71fd79bbb2887aaf3be808bfa105f9bba9 6209
php-horde-form_2.0.15-1+deb9u2_amd64.buildinfo
Checksums-Sha256:
b2f25b609586c3dbd603ca99d54af81d3c9ff516def7e2c476bea2d9abb59191 2041
php-horde-form_2.0.15-1+deb9u2.dsc
1bca7901e8299b4bbe2a24dc7e5c332c600522b076bd0c6513af73ce7caddbc6 3648
php-horde-form_2.0.15-1+deb9u2.debian.tar.xz
fdbe81fca38d651c2991d433a50969c834a9e52baaf9dbacf9151a01ab236dae 6209
php-horde-form_2.0.15-1+deb9u2_amd64.buildinfo
Files:
336a83d214bcd245659d47111e4a584e 2041 php extra
php-horde-form_2.0.15-1+deb9u2.dsc
8dba018531d7b835c9de1932f354547d 3648 php extra
php-horde-form_2.0.15-1+deb9u2.debian.tar.xz
43e5adad0c86e5e83347aeeab8cdfe40 6209 php extra
php-horde-form_2.0.15-1+deb9u2_amd64.buildinfo
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TE2kACgkQLNd4Xt2n
sg/p8Q/+O4X2SmRtUA/EYTs4os0qkbUjo33QOqJINZF5ZQ/u8AKd07f+2QQopnt6
VaXRfn+J+NhQ7++OgzSE+oB7Px0RcWJ55HuKZ9HXDEgO1U/Qm6pi1rcoIUM3gvY1
lHWn2Fs4SB3G5BCgINFr3VKNjNA8bZzOFpS7dc0ruepiL3GF94AtViu7aCFrdrML
fxmxcfvjdjTV2r0ELiIARBtORE5jqFMMpn9TlO0wOHfwmSo7Um5lLfF6U75tcnYk
S5QYjqIQEcwGEAlM6sNOvO13OB2Yz8/pOhWxvGKm59Y1aPa2CVi355Y+/gUZtHiV
48Xro88uhguWAZxgz6IRYNBdchi5ZzJIOxSfX2CnuJdI2PKFgsQEhA2hJtiRcxG2
Bug#955020: marked as done (php-horde-form: CVE-2020-8866)
Your message dated Sat, 25 Apr 2020 15:02:14 + with message-id and subject line Bug#955020: fixed in php-horde-form 2.0.18-3.1+deb10u1 has caused the Debian Bug report #955020, regarding php-horde-form: CVE-2020-8866 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 955020: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955020 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: php-horde-form Version: 2.0.19-1 Severity: important Tags: security upstream Control: found -1 2.0.18-3.1 Control: found -1 2.0.15-1+deb9u1 Control: found -1 2.0.15-1 Hi, The following vulnerability was published for php-horde-form. CVE-2020-8866[0]: | This vulnerability allows remote attackers to create arbitrary files | on affected installations of Horde Groupware Webmail Edition 5.2.22. | Authentication is required to exploit this vulnerability. The specific | flaw exists within add.php. The issue results from the lack of proper | validation of user-supplied data, which can allow the upload of | arbitrary files. An attacker can leverage this in conjunction with | other vulnerabilities to execute code in the context of the www-data | user. Was ZDI-CAN-10125. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8866 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8866 Regards, Salvatore --- End Message --- --- Begin Message --- Source: php-horde-form Source-Version: 2.0.18-3.1+deb10u1 Done: robe...@debian.org (Roberto C. Sanchez) We believe that the bug you reported is fixed in the latest version of php-horde-form, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 955...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Roberto C. Sanchez (supplier of updated php-horde-form package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 24 Mar 2020 13:55:11 -0400 Source: php-horde-form Architecture: source Version: 2.0.18-3.1+deb10u1 Distribution: buster Urgency: high Maintainer: Horde Maintainers Changed-By: Roberto C. Sanchez Closes: 955020 Changes: php-horde-form (2.0.18-3.1+deb10u1) buster; urgency=high . * Fix CVE-2020-8866: The Horde Application Framework contained a remote code execution vulnerability. An authenticated remote attacker could use this flaw to upload arbitrary content to an arbitrary writable location on the server and potentially execute code in the context of the web server user. (Closes: #955020) Checksums-Sha1: 75b55c10b7cca8263c90efd012520173c377a7a3 2032 php-horde-form_2.0.18-3.1+deb10u1.dsc f9d230e6869c253acb2bcd5f4fba752b895e9db9 197432 php-horde-form_2.0.18.orig.tar.gz 446d553eba62a9c745afea5a6aea74205cc13922 3724 php-horde-form_2.0.18-3.1+deb10u1.debian.tar.xz 4ddbbed7c76430e347003bc84bd77358b2a1cd6f 5859 php-horde-form_2.0.18-3.1+deb10u1_amd64.buildinfo Checksums-Sha256: 17fa8e1eea852fe8b69e1f2bf7929f7c30c3077913395677817727638599 2032 php-horde-form_2.0.18-3.1+deb10u1.dsc 0fd6c9c45156f56f462b38283530485eb8992968fc5c4849d2b669150d028110 197432 php-horde-form_2.0.18.orig.tar.gz d8146904f0dcf0850704cac2e47cdb8f537a8d32b8ce1698c2fbb5020ae537b0 3724 php-horde-form_2.0.18-3.1+deb10u1.debian.tar.xz 4d02a481fe7033b849bc4dc7e19176f850823f34c0d86437febc7e0f71caa9c6 5859 php-horde-form_2.0.18-3.1+deb10u1_amd64.buildinfo Files: 6704ca7e4c685a830d2c1e8beb2f1031 2032 php optional php-horde-form_2.0.18-3.1+deb10u1.dsc 0d044b0aa6f50d8f10758791d00c520a 197432 php optional php-horde-form_2.0.18.orig.tar.gz d20f6edf9c4bd01c42b50e3994ded774 3724 php optional php-horde-form_2.0.18-3.1+deb10u1.debian.tar.xz 3b6a35ef5dd8f4b0a69e247be70f144a 5859 php optional php-horde-form_2.0.18-3.1+deb10u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TE3QACgkQLNd4Xt2n sg+Uqg/+O7uL8pRMTbN4/o7tRWEbDIaOsJTlqMmEu+LGXOASjxoPA1yQZm21HhKz L6qgon1w8+4QhyKBt90cAdweot6gVk/+QCDVR+PiR1E9HjVC280q1FD3kCClqnUr
