Your message dated Sat, 23 Apr 2005 09:17:32 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#305436: fixed in horde2 2.2.8-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 20 Apr 2005 00:01:32 +0000
>From [EMAIL PROTECTED] Tue Apr 19 17:01:32 2005
Return-path: <[EMAIL PROTECTED]>
Received: from skin.netfarm.it (mail.netfarm.it) [151.1.32.181]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DO2eq-00021u-00; Tue, 19 Apr 2005 17:01:32 -0700
Received: from localhost (localhost [127.0.0.1])
by mail.netfarm.it (AMaViS/SpamAssassin) with ESMTP id A1E035D41FD;
Wed, 20 Apr 2005 02:00:59 +0200 (CEST)
Received: from flender.netfarm.it (localhost [127.0.0.1])
by mail.netfarm.it (Netfarm MailServer v1.2 [Powered by Postfix]) with
ESMTP id 7AFCE5D41FA;
Wed, 20 Apr 2005 02:00:58 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Gianluigi Tiesi <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: Insecure permissions for /usr/share/horde2/test.php can expose php
settings
by using phpinfo
X-Mailer: reportbug 3.9
Date: Wed, 20 Apr 2005 02:00:58 +0200
Message-Id: <[EMAIL PROTECTED]>
X-Virus-Scanned: by AMaViS New (Debian) at mail.netfarm.it
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: horde2
Version: 2.2.7-7
Severity: important
/usr/share/horde2/test.php is word readable, and since it includes a
phpinfo() function can expose php and apache settings.
I suggest to make it 600 and add a note in README.Debian explaining
the question and how to enable it to debug installation.
Also please note php 4.3.11 has remove Net_Socket, MAIL and DB pear
modules so when it will be released php4-pear will not have these needed
pear modules, so seperate packages will be needed like php4-pear-log.
Best Regards
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11-rc4
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages horde2 depends on:
ii apache2-mpm-prefork [httpd] 2.0.54-2 traditional model for Apache2
ii binutils 2.15-5 The GNU assembler, linker and bina
ii debconf 1.4.48 Debian configuration management sy
ii gettext 0.14.4-1 GNU Internationalization utilities
ii logrotate 3.7-2 Log rotation utility
ii make 3.80-9 The GNU version of the "make" util
ii perl 5.8.4-8 Larry Wall's Practical Extraction
ii php4 4:4.3.10-12 server-side, HTML-embedded scripti
ii php4-pear 4:4.3.10-12 PEAR - PHP Extension and Applicati
ii php4-pear-log 1.6.0-1.1 Log module for PEAR
ii wwwconfig-common 0.0.43 Debian web auto configuration
-- debconf information excluded
---------------------------------------
Received: (at 305436-close) by bugs.debian.org; 23 Apr 2005 13:20:02 +0000
>From [EMAIL PROTECTED] Sat Apr 23 06:20:02 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DPKYE-00006q-00; Sat, 23 Apr 2005 06:20:02 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DPKVo-0006Bg-00; Sat, 23 Apr 2005 09:17:32 -0400
From: Ola Lundqvist <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#305436: fixed in horde2 2.2.8-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sat, 23 Apr 2005 09:17:32 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: horde2
Source-Version: 2.2.8-1
We believe that the bug you reported is fixed in the latest version of
horde2, which is due to be installed in the Debian FTP archive:
horde2_2.2.8-1.diff.gz
to pool/main/h/horde2/horde2_2.2.8-1.diff.gz
horde2_2.2.8-1.dsc
to pool/main/h/horde2/horde2_2.2.8-1.dsc
horde2_2.2.8-1_all.deb
to pool/main/h/horde2/horde2_2.2.8-1_all.deb
horde2_2.2.8.orig.tar.gz
to pool/main/h/horde2/horde2_2.2.8.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ola Lundqvist <[EMAIL PROTECTED]> (supplier of updated horde2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 23 Apr 2005 11:45:15 +0200
Source: horde2
Binary: horde2
Architecture: source all
Version: 2.2.8-1
Distribution: unstable
Urgency: low
Maintainer: Ola Lundqvist <[EMAIL PROTECTED]>
Changed-By: Ola Lundqvist <[EMAIL PROTECTED]>
Description:
horde2 - horde web application suite
Closes: 305436
Changes:
horde2 (2.2.8-1) unstable; urgency=low
.
* New upstream release.
* This version fix the security problem as described by CAN-2005-0961.
* Moved away test.php, closes: #305436.
* No capital letters on the package description.
* Upstream changelog renamed.
Files:
44f881e4a54e28d40eee129363773de1 563 web optional horde2_2.2.8-1.dsc
89961af4e4488a908147d7b3a0dc3b44 683005 web optional horde2_2.2.8.orig.tar.gz
74e6fbf56991d1eb32772784fc71de4c 36760 web optional horde2_2.2.8-1.diff.gz
2ac775b66fc68d6671b8c53156639e22 514842 web optional horde2_2.2.8-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCakfMGKGxzw/lPdkRAm+MAJ96Lk0ALyCrO0gz/4TMtrGx5JBFqQCeJIsz
2oHtkFKFzG0GVLTVXt+sUwk=
=pshg
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
