Your message dated Sat, 23 Apr 2005 09:17:32 -0400 with message-id <[EMAIL PROTECTED]> and subject line Bug#305436: fixed in horde2 2.2.8-1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 20 Apr 2005 00:01:32 +0000 >From [EMAIL PROTECTED] Tue Apr 19 17:01:32 2005 Return-path: <[EMAIL PROTECTED]> Received: from skin.netfarm.it (mail.netfarm.it) [151.1.32.181] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DO2eq-00021u-00; Tue, 19 Apr 2005 17:01:32 -0700 Received: from localhost (localhost [127.0.0.1]) by mail.netfarm.it (AMaViS/SpamAssassin) with ESMTP id A1E035D41FD; Wed, 20 Apr 2005 02:00:59 +0200 (CEST) Received: from flender.netfarm.it (localhost [127.0.0.1]) by mail.netfarm.it (Netfarm MailServer v1.2 [Powered by Postfix]) with ESMTP id 7AFCE5D41FA; Wed, 20 Apr 2005 02:00:58 +0200 (CEST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Gianluigi Tiesi <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: Insecure permissions for /usr/share/horde2/test.php can expose php settings by using phpinfo X-Mailer: reportbug 3.9 Date: Wed, 20 Apr 2005 02:00:58 +0200 Message-Id: <[EMAIL PROTECTED]> X-Virus-Scanned: by AMaViS New (Debian) at mail.netfarm.it Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Package: horde2 Version: 2.2.7-7 Severity: important /usr/share/horde2/test.php is word readable, and since it includes a phpinfo() function can expose php and apache settings. I suggest to make it 600 and add a note in README.Debian explaining the question and how to enable it to debug installation. Also please note php 4.3.11 has remove Net_Socket, MAIL and DB pear modules so when it will be released php4-pear will not have these needed pear modules, so seperate packages will be needed like php4-pear-log. Best Regards -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.11-rc4 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages horde2 depends on: ii apache2-mpm-prefork [httpd] 2.0.54-2 traditional model for Apache2 ii binutils 2.15-5 The GNU assembler, linker and bina ii debconf 1.4.48 Debian configuration management sy ii gettext 0.14.4-1 GNU Internationalization utilities ii logrotate 3.7-2 Log rotation utility ii make 3.80-9 The GNU version of the "make" util ii perl 5.8.4-8 Larry Wall's Practical Extraction ii php4 4:4.3.10-12 server-side, HTML-embedded scripti ii php4-pear 4:4.3.10-12 PEAR - PHP Extension and Applicati ii php4-pear-log 1.6.0-1.1 Log module for PEAR ii wwwconfig-common 0.0.43 Debian web auto configuration -- debconf information excluded --------------------------------------- Received: (at 305436-close) by bugs.debian.org; 23 Apr 2005 13:20:02 +0000 >From [EMAIL PROTECTED] Sat Apr 23 06:20:02 2005 Return-path: <[EMAIL PROTECTED]> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DPKYE-00006q-00; Sat, 23 Apr 2005 06:20:02 -0700 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1DPKVo-0006Bg-00; Sat, 23 Apr 2005 09:17:32 -0400 From: Ola Lundqvist <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.55 $ Subject: Bug#305436: fixed in horde2 2.2.8-1 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Sat, 23 Apr 2005 09:17:32 -0400 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Source: horde2 Source-Version: 2.2.8-1 We believe that the bug you reported is fixed in the latest version of horde2, which is due to be installed in the Debian FTP archive: horde2_2.2.8-1.diff.gz to pool/main/h/horde2/horde2_2.2.8-1.diff.gz horde2_2.2.8-1.dsc to pool/main/h/horde2/horde2_2.2.8-1.dsc horde2_2.2.8-1_all.deb to pool/main/h/horde2/horde2_2.2.8-1_all.deb horde2_2.2.8.orig.tar.gz to pool/main/h/horde2/horde2_2.2.8.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ola Lundqvist <[EMAIL PROTECTED]> (supplier of updated horde2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sat, 23 Apr 2005 11:45:15 +0200 Source: horde2 Binary: horde2 Architecture: source all Version: 2.2.8-1 Distribution: unstable Urgency: low Maintainer: Ola Lundqvist <[EMAIL PROTECTED]> Changed-By: Ola Lundqvist <[EMAIL PROTECTED]> Description: horde2 - horde web application suite Closes: 305436 Changes: horde2 (2.2.8-1) unstable; urgency=low . * New upstream release. * This version fix the security problem as described by CAN-2005-0961. * Moved away test.php, closes: #305436. * No capital letters on the package description. * Upstream changelog renamed. Files: 44f881e4a54e28d40eee129363773de1 563 web optional horde2_2.2.8-1.dsc 89961af4e4488a908147d7b3a0dc3b44 683005 web optional horde2_2.2.8.orig.tar.gz 74e6fbf56991d1eb32772784fc71de4c 36760 web optional horde2_2.2.8-1.diff.gz 2ac775b66fc68d6671b8c53156639e22 514842 web optional horde2_2.2.8-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCakfMGKGxzw/lPdkRAm+MAJ96Lk0ALyCrO0gz/4TMtrGx5JBFqQCeJIsz 2oHtkFKFzG0GVLTVXt+sUwk= =pshg -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]