Bug#955019: marked as done (php-horde-trean: CVE-2020-8865)
Your message dated Tue, 30 Jun 2020 09:04:25 + with message-id and subject line Bug#955019: fixed in php-horde-trean 1.1.10-1 has caused the Debian Bug report #955019, regarding php-horde-trean: CVE-2020-8865 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 955019: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955019 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: php-horde-trean Version: 1.1.9-4 Severity: important Tags: security upstream Control: found -1 1.1.9-3 Hi, The following vulnerability was published for php-horde-trean. CVE-2020-8865[0]: | This vulnerability allows remote attackers to execute local PHP files | on affected installations of Horde Groupware Webmail Edition 5.2.22. | Authentication is required to exploit this vulnerability. The specific | flaw exists within edit.php. When parsing the params[template] | parameter, the process does not properly validate a user-supplied path | prior to using it in file operations. An attacker can leverage this in | conjunction with other vulnerabilities to execute code in the context | of the www-data user. Was ZDI-CAN-10469. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8865 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8865 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: php-horde-trean Source-Version: 1.1.10-1 Done: Mike Gabriel We believe that the bug you reported is fixed in the latest version of php-horde-trean, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 955...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel (supplier of updated php-horde-trean package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 30 Jun 2020 10:44:28 +0200 Source: php-horde-trean Architecture: source Version: 1.1.10-1 Distribution: unstable Urgency: medium Maintainer: Horde Maintainers Changed-By: Mike Gabriel Closes: 955019 Changes: php-horde-trean (1.1.10-1) unstable; urgency=medium . [ Juri Grabowski ] * New upstream version 1.1.10 * SECURITY: The Trean application of the Horde Application Framework contained a directory traversal vulnerability (CVE-2020-8865) resulting from insufficient input sanitization. An authenticated remote attacker could use this flaw to execute code in the context of the web server user. (Closes: #955019). . [ Mike Gabriel ] * d/salsa-ci.yml: Add file with salsa-ci.yml and pipeline-jobs.yml calls. * d/control: Bump DH compat level to version 13. * d/control: Add to Uploaders: Juri Grabowski. Checksums-Sha1: b03e50b532a3bb81f2e962e4c8a291eb8a6cd006 2090 php-horde-trean_1.1.10-1.dsc ecd495cf90e5a262e4417bfd6585e901f2fbb2af 664691 php-horde-trean_1.1.10.orig.tar.gz 7cb3d1e0dfca2cae0fce86cb179c48796e25375e 4164 php-horde-trean_1.1.10-1.debian.tar.xz 5909516ca2f5e7e4f2d89c34e5c3e9ab7eb08e93 7059 php-horde-trean_1.1.10-1_source.buildinfo Checksums-Sha256: c835e7d1d23a15130fb6dd76861b0331ae4f1507acda20c874164debcd186f79 2090 php-horde-trean_1.1.10-1.dsc c1a24d64b4a88976005eea21c9e5939572e8e957e159e73698a9a042868738d5 664691 php-horde-trean_1.1.10.orig.tar.gz ea401d05c48e0aed29b152823e65333449a8d9f9f6bffafd29c81333b792de5b 4164 php-horde-trean_1.1.10-1.debian.tar.xz f8763b22092d826c76f96d345f30b6675adb72dbf3d2a51f041c67ee547a77ef 7059 php-horde-trean_1.1.10-1_source.buildinfo Files: fbb831901636eae7ab043ffdd7841b29 2090 php optional php-horde-trean_1.1.10-1.dsc f85a80bef474994f27622beb3563d94c 664691 php optional php-horde-trean_1.1.10.orig.tar.gz 8f732c539bfe4ebf1e8c1d6e6efaf491 4164 php optional php-horde-trean_1.1.10-1.debian.tar.xz 2344708d5c5bfe55c22bc6f91c12b584 7059 php optional php-horde-trean_1.1.10-1_source.buildinfo -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl76/FkVHHN1bndlYXZl
Bug#955019: marked as done (php-horde-trean: CVE-2020-8865)
Your message dated Sat, 25 Apr 2020 18:17:24 +
with message-id
and subject line Bug#955019: fixed in php-horde-trean 1.1.7-1+deb9u1
has caused the Debian Bug report #955019,
regarding php-horde-trean: CVE-2020-8865
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
955019: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955019
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: php-horde-trean
Version: 1.1.9-4
Severity: important
Tags: security upstream
Control: found -1 1.1.9-3
Hi,
The following vulnerability was published for php-horde-trean.
CVE-2020-8865[0]:
| This vulnerability allows remote attackers to execute local PHP files
| on affected installations of Horde Groupware Webmail Edition 5.2.22.
| Authentication is required to exploit this vulnerability. The specific
| flaw exists within edit.php. When parsing the params[template]
| parameter, the process does not properly validate a user-supplied path
| prior to using it in file operations. An attacker can leverage this in
| conjunction with other vulnerabilities to execute code in the context
| of the www-data user. Was ZDI-CAN-10469.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-8865
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8865
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: php-horde-trean
Source-Version: 1.1.7-1+deb9u1
Done: robe...@debian.org (Roberto C. Sanchez)
We believe that the bug you reported is fixed in the latest version of
php-horde-trean, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 955...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roberto C. Sanchez (supplier of updated php-horde-trean
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Fri, 10 Apr 2020 20:32:35 -0400
Source: php-horde-trean
Binary: php-horde-trean
Architecture: source
Version: 1.1.7-1+deb9u1
Distribution: stretch
Urgency: high
Maintainer: Horde Maintainers
Changed-By: Roberto C. Sanchez
Description:
php-horde-trean - ${phppear:summary}
Closes: 955019
Changes:
php-horde-trean (1.1.7-1+deb9u1) stretch; urgency=high
.
* Fix CVE-2020-8865:
The Horde Application Framework contained a directory traversal
vulnerability resulting from insufficient input sanitization. An
authenticated remote attacker could use this flaw to execute code in the
context of the web server user. (Closes: #955019)
Checksums-Sha1:
7b6ae903616fb9da3b06a83c1bcc2dfc98019acc 2061
php-horde-trean_1.1.7-1+deb9u1.dsc
67c047a148e6d2896ba2827a1f1e56bbebde21ce 658190
php-horde-trean_1.1.7.orig.tar.gz
6357fca29bfac7cc160aa583c3e52638aeddda0a 3760
php-horde-trean_1.1.7-1+deb9u1.debian.tar.xz
324fc4294b203dc03b9fbb14ce7c629992332f46 6240
php-horde-trean_1.1.7-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
29f53d62f600432a6bdb6af9cc33819724b19e091cdc6a75a55abb01aa50758d 2061
php-horde-trean_1.1.7-1+deb9u1.dsc
9c279c7c8b5f555829e140788cfdbf1f7bfe0dddeb74c0c6d723289b48b110d6 658190
php-horde-trean_1.1.7.orig.tar.gz
7a2ccf8ce3287252cedf0b8b17415e8d72b7ebd54db84fcc031b265bfa9b11b8 3760
php-horde-trean_1.1.7-1+deb9u1.debian.tar.xz
a1e021e3ea2f69ab5e663b24f0c2adb7178a7e345522a11974f953c97ff3a4c6 6240
php-horde-trean_1.1.7-1+deb9u1_amd64.buildinfo
Files:
c4958f860492209ac2e118158b7009e7 2061 php extra
php-horde-trean_1.1.7-1+deb9u1.dsc
b9c45b8385f44471c81af5dba9161de0 658190 php extra
php-horde-trean_1.1.7.orig.tar.gz
e193d55e344d7fa1924cacf92243f909 3760 php extra
php-horde-trean_1.1.7-1+deb9u1.debian.tar.xz
a27ace71c0965f4386b37809e3019dfb 6240 php extra
php-horde-trean_1.1.7-1+deb9u1_amd64.buildinfo
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TFJsACgkQLNd4Xt2n
sg9N7g//e+Um++F2D/M3xnUMoIRzjrfQBpebQddCPgmtdEBf1qzMmKLJNyTK7mF4
AgGcuv/2ZSwxeOS1tY6YxJbCgzu6PPcHVZv7le6+aYtj5etHYCNHWifJatCjA8mB
Bug#955019: marked as done (php-horde-trean: CVE-2020-8865)
Your message dated Sat, 25 Apr 2020 15:02:14 + with message-id and subject line Bug#955019: fixed in php-horde-trean 1.1.9-3+deb10u1 has caused the Debian Bug report #955019, regarding php-horde-trean: CVE-2020-8865 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 955019: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955019 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: php-horde-trean Version: 1.1.9-4 Severity: important Tags: security upstream Control: found -1 1.1.9-3 Hi, The following vulnerability was published for php-horde-trean. CVE-2020-8865[0]: | This vulnerability allows remote attackers to execute local PHP files | on affected installations of Horde Groupware Webmail Edition 5.2.22. | Authentication is required to exploit this vulnerability. The specific | flaw exists within edit.php. When parsing the params[template] | parameter, the process does not properly validate a user-supplied path | prior to using it in file operations. An attacker can leverage this in | conjunction with other vulnerabilities to execute code in the context | of the www-data user. Was ZDI-CAN-10469. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8865 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8865 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: php-horde-trean Source-Version: 1.1.9-3+deb10u1 Done: robe...@debian.org (Roberto C. Sanchez) We believe that the bug you reported is fixed in the latest version of php-horde-trean, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 955...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Roberto C. Sanchez (supplier of updated php-horde-trean package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 10 Apr 2020 20:31:30 -0400 Source: php-horde-trean Architecture: source Version: 1.1.9-3+deb10u1 Distribution: buster Urgency: high Maintainer: Horde Maintainers Changed-By: Roberto C. Sanchez Closes: 955019 Changes: php-horde-trean (1.1.9-3+deb10u1) buster; urgency=high . * Fix CVE-2020-8865: The Horde Application Framework contained a directory traversal vulnerability resulting from insufficient input sanitization. An authenticated remote attacker could use this flaw to execute code in the context of the web server user. (Closes: #955019) Checksums-Sha1: 96594088177b09e019395932691bb26868efb108 2044 php-horde-trean_1.1.9-3+deb10u1.dsc b6e07bfd1b2a706fb69f3d6c39e0b0036243a315 663125 php-horde-trean_1.1.9.orig.tar.gz 39597d13a50e4e6b4ab59211d98d06bcad8d48fd 3860 php-horde-trean_1.1.9-3+deb10u1.debian.tar.xz 50f818af7c456a469e88db587d54ac067a543cb7 5882 php-horde-trean_1.1.9-3+deb10u1_amd64.buildinfo Checksums-Sha256: 6cd58713d0f99589f37217d31e3f86d7134ac8bbc0113d7921fc5af6cbb42bf3 2044 php-horde-trean_1.1.9-3+deb10u1.dsc 52b0b5f5f0249b0f60428f442cdd8f6e7f8b64661ca898697d631be54b80f860 663125 php-horde-trean_1.1.9.orig.tar.gz f11593710485b848b872df905d634d3f0af760558481751db02aa776e6a19063 3860 php-horde-trean_1.1.9-3+deb10u1.debian.tar.xz ce5f8fe73dad46bd52de8ec34e5476080772d8a826928715daa4239ba707dfd7 5882 php-horde-trean_1.1.9-3+deb10u1_amd64.buildinfo Files: 8683ba7221b8d22dfca4e2c3d1e76fc0 2044 php optional php-horde-trean_1.1.9-3+deb10u1.dsc 8270bfa071136801b41f6b2cb5c9d508 663125 php optional php-horde-trean_1.1.9.orig.tar.gz 455ece5d01ef4b1908e29a0694a8ad65 3860 php optional php-horde-trean_1.1.9-3+deb10u1.debian.tar.xz 9e2962d393ce2f86aae108904cc11660 5882 php optional php-horde-trean_1.1.9-3+deb10u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TE4UACgkQLNd4Xt2n sg9zqA//UWjJSB3+hWi9WCDR5hEEwyH2siZpJDLxU/uh44MpXJFvtywv7fjHHFgT Tzd2CQyDWPIhRiwnmd3XaIGsg9N0xtEIFsmIRf2yVQlPS7J3hbDtS9blzDWqwdc8 dm7u+n3cZ/cFxVTUKXdyBT7OYkmfpez96rgOP5v9phmTo1rEqkTHeOYJST3NjsBP
