Debian Bug report logs - #315671
webcalendar: New upstream version with security fixes available

version graph

Package: webcalendar; Maintainer for webcalendar is (unknown);

Reported by: Herbert Thielen <debian-bugs@thielen-home.de>

Date: Fri, 24 Jun 2005 16:33:02 UTC

Severity: grave

Tags: security

Found in version 0.9.45-4

Fixed in version webcalendar/0.9.45-7

Done: Tim Peeler <thp@linuxforce.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Tim Peeler <thp@linuxforce.net>:
Bug#315671; Package webcalendar. Full text and rfc822 format available.

Acknowledgement sent to Herbert Thielen <debian-bugs@thielen-home.de>:
New Bug report received and forwarded. Copy sent to Tim Peeler <thp@linuxforce.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Herbert Thielen <debian-bugs@thielen-home.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: webcalendar: New upstream version with security fixes available
Date: Fri, 24 Jun 2005 18:26:26 +0200
Package: webcalendar
Version: 0.9.45-4
Severity: grave
Tags: security
Justification: user security hole

According to http://freshmeat.net/projects/webcalendar there is a new
version 1.0.0 available, which includes "major security fixes" of
version 1.0RC3 ("all users should upgrade").

Regards
	Herbert.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages webcalendar depends on:
ii  apache2-mpm-prefork [httpd]   2.0.53-5   traditional model for Apache2
ii  debconf [debconf-2.0]         1.4.30.11  Debian configuration management sy
ii  php4                          4:4.3.10-8 server-side, HTML-embedded scripti
ii  php4-cgi                      4:4.3.10-8 server-side, HTML-embedded scripti
ii  php4-cli                      4:4.3.10-8 command-line interpreter for the p
ii  php4-mysql                    4:4.3.10-8 MySQL module for php4

-- debconf information excluded



Information forwarded to debian-bugs-dist@lists.debian.org, Tim Peeler <thp@linuxforce.net>:
Bug#315671; Package webcalendar. Full text and rfc822 format available.

Acknowledgement sent to Paul Slootman <paul@debian.org>:
Extra info received and forwarded to list. Copy sent to Tim Peeler <thp@linuxforce.net>. Full text and rfc822 format available.

Message #10 received at 315671@bugs.debian.org (full text, mbox):

From: Paul Slootman <paul@debian.org>
To: 315671@bugs.debian.org
Cc: Herbert Thielen <debian-bugs@thielen-home.de>
Subject: Re: webcalendar: New upstream version with security fixes available
Date: Mon, 18 Jul 2005 19:02:26 +0200
On Fri 24 Jun 2005, Herbert Thielen wrote:

> Package: webcalendar
> Version: 0.9.45-4
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> According to http://freshmeat.net/projects/webcalendar there is a new
> version 1.0.0 available, which includes "major security fixes" of
> version 1.0RC3 ("all users should upgrade").

If I don't see any response from the maintainer within a couple of days,
I will NMU version 1.0.0.


Paul Slootman



Information forwarded to debian-bugs-dist@lists.debian.org, Tim Peeler <thp@linuxforce.net>:
Bug#315671; Package webcalendar. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Tim Peeler <thp@linuxforce.net>. Full text and rfc822 format available.

Message #15 received at 315671@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Paul Slootman <paul@debian.org>, 315671@bugs.debian.org
Cc: Herbert Thielen <debian-bugs@thielen-home.de>
Subject: Re: Bug#315671: webcalendar: New upstream version with security fixes available
Date: Mon, 18 Jul 2005 14:23:34 -0400
[Message part 1 (text/plain, inline)]
This one time, at band camp, Paul Slootman said:
> On Fri 24 Jun 2005, Herbert Thielen wrote:
> 
> > Package: webcalendar
> > Version: 0.9.45-4
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > According to http://freshmeat.net/projects/webcalendar there is a new
> > version 1.0.0 available, which includes "major security fixes" of
> > version 1.0RC3 ("all users should upgrade").
> 
> If I don't see any response from the maintainer within a couple of days,
> I will NMU version 1.0.0.

I am working on the maintainer on this now.  Give us a moment, but if
things get busy, we may say go ahead.
-- 
 -----------------------------------------------------------------
|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Tim Peeler <thp@linuxforce.net>:
Bug#315671; Package webcalendar. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>, Tim Peeler <thp@linuxforce.net>, 315671@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Tim Peeler <thp@linuxforce.net>. Full text and rfc822 format available.

Message #20 received at 315671@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: security@debian.org, Tim Peeler <thp@linuxforce.net>
Cc: 315671@bugs.debian.org
Subject: webcalendar unauthorized access
Date: Mon, 18 Jul 2005 14:56:09 -0400
[Message part 1 (text/plain, inline)]
Hello all,

There is a security bug in webcalendar (#315671 and
http://www.securityfocus.com/bid/14072, for reference).  Tim is the
maintainer, but does not yet have a debian account, and cannot upload.
We have a fixed version for sarge ready (patch attached).  I am happy to
upload it for Tim, or you could based on the attached patch.  Please let
us know which way you want to handle this.  Tim is copied on this mail,
please keep both of us in the follow ups.

There is as yet no CVE, but the bugtraq ID is 14072.

Thanks,
-- 
 -----------------------------------------------------------------
|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |
 -----------------------------------------------------------------
[sec.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Tim Peeler <thp@linuxforce.net>:
Bug#315671; Package webcalendar. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Tim Peeler <thp@linuxforce.net>. Full text and rfc822 format available.

Message #25 received at 315671@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: security@debian.org, Tim Peeler <thp@linuxforce.net>, 315671@bugs.debian.org
Subject: Re: webcalendar unauthorized access
Date: Tue, 19 Jul 2005 08:24:34 +0200
Stephen Gran wrote:
> Hello all,

Thanks a lot for contacting us.

> There is a security bug in webcalendar (#315671 and
> http://www.securityfocus.com/bid/14072, for reference).  Tim is the
> maintainer, but does not yet have a debian account, and cannot upload.
> We have a fixed version for sarge ready (patch attached).  I am happy to
> upload it for Tim, or you could based on the attached patch.  Please let
> us know which way you want to handle this.  Tim is copied on this mail,
> please keep both of us in the follow ups.
> 
> There is as yet no CVE, but the bugtraq ID is 14072.

I have requested an id.

While we're at it, have you checked this vulnerability as well?
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0474

I'll take care of sarge.

Regards,

	Joey

-- 
Whenever you meet yourself you're in a time loop or in front of a mirror.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Tim Peeler <thp@linuxforce.net>:
Bug#315671; Package webcalendar. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Tim Peeler <thp@linuxforce.net>. Full text and rfc822 format available.

Message #30 received at 315671@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Martin Schulze <joey@infodrom.org>, 315671@bugs.debian.org
Cc: security@debian.org, Tim Peeler <thp@linuxforce.net>
Subject: Re: Bug#315671: webcalendar unauthorized access
Date: Tue, 19 Jul 2005 09:04:54 -0400
[Message part 1 (text/plain, inline)]
This one time, at band camp, Martin Schulze said:
> Stephen Gran wrote:
> > Hello all,
> 
> Thanks a lot for contacting us.
> 
> > There is a security bug in webcalendar (#315671 and
> > http://www.securityfocus.com/bid/14072, for reference).  Tim is the
> > maintainer, but does not yet have a debian account, and cannot upload.
> > We have a fixed version for sarge ready (patch attached).  I am happy to
> > upload it for Tim, or you could based on the attached patch.  Please let
> > us know which way you want to handle this.  Tim is copied on this mail,
> > please keep both of us in the follow ups.
> > 
> > There is as yet no CVE, but the bugtraq ID is 14072.
> 
> I have requested an id.

Great, thanks.

> While we're at it, have you checked this vulnerability as well?
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0474

I had not seen it before.  We will get you a patch for this as well.

> I'll take care of sarge.

Excellent news.  So we'll try to get you a patch for CAN-2005-0474 later
today if possible, and you'll handle the upload fixing both - does that
work for you?  I guess I'll file a bug about CAN-2005-0474, so it's
easier to track it getting into both sid and etch.

Thanks again,
-- 
 -----------------------------------------------------------------
|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Tim Peeler <thp@linuxforce.net>:
Bug#315671; Package webcalendar. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Tim Peeler <thp@linuxforce.net>. Full text and rfc822 format available.

Message #35 received at 315671@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Martin Schulze <joey@infodrom.org>, 315671@bugs.debian.org
Cc: security@debian.org, Tim Peeler <thp@linuxforce.net>
Subject: Re: Bug#315671: webcalendar unauthorized access
Date: Tue, 19 Jul 2005 09:11:23 -0400
[Message part 1 (text/plain, inline)]
This one time, at band camp, Martin Schulze said:
> While we're at it, have you checked this vulnerability as well?
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0474

My mistake.  It appears that this is #295960 and #296280 and was fixed
in 0.9.45-3, so it made it to sarge.  So the only issue to fix is the
one we already sent a patch for, and you don't need to wait on anything
from us at this point, am I correct?

Thanks, and we'll get something into sid shortly.
-- 
 -----------------------------------------------------------------
|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Tim Peeler <thp@linuxforce.net>:
Bug#315671; Package webcalendar. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Tim Peeler <thp@linuxforce.net>. Full text and rfc822 format available.

Message #40 received at 315671@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: security@debian.org, Tim Peeler <thp@linuxforce.net>, 315671@bugs.debian.org
Subject: Re: webcalendar unauthorized access
Date: Wed, 20 Jul 2005 00:15:59 +0200
Stephen Gran wrote:
> Hello all,
> 
> There is a security bug in webcalendar (#315671 and
> http://www.securityfocus.com/bid/14072, for reference).  Tim is the
> maintainer, but does not yet have a debian account, and cannot upload.
> We have a fixed version for sarge ready (patch attached).  I am happy to
> upload it for Tim, or you could based on the attached patch.  Please let
> us know which way you want to handle this.  Tim is copied on this mail,
> please keep both of us in the follow ups.
> 
> There is as yet no CVE, but the bugtraq ID is 14072.

Just got it:

======================================================
Candidate: CAN-2005-2320
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2320
Reference: BID:14072
Reference: URL:http://www.securityfocus.com/bid/14072

WebCalendar before 1.0.0 does not properly restrict access to
assistant_edit.php, which allows remote attackers to gain privileges.


Regards,

	Joey

-- 
Whenever you meet yourself you're in a time loop or in front of a mirror.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Tim Peeler <thp@linuxforce.net>:
Bug#315671; Package webcalendar. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Tim Peeler <thp@linuxforce.net>. Full text and rfc822 format available.

Message #45 received at 315671@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 315671@bugs.debian.org
Subject: DSA claims this is fixed in a version of webcalendar that is not in the archive
Date: Thu, 11 Aug 2005 13:29:05 -0400
[Message part 1 (text/plain, inline)]
FYI, from the DSA about this security hole:

For the unstable distribution (sid) this problem has been fixed in
version 0.9.45-6.

But it seems that version was never uploaded.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Reply sent to Tim Peeler <thp@linuxforce.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Herbert Thielen <debian-bugs@thielen-home.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #50 received at 315671-close@bugs.debian.org (full text, mbox):

From: Tim Peeler <thp@linuxforce.net>
To: 315671-close@bugs.debian.org
Subject: Bug#315671: fixed in webcalendar 0.9.45-7
Date: Thu, 15 Sep 2005 02:47:12 -0700
Source: webcalendar
Source-Version: 0.9.45-7

We believe that the bug you reported is fixed in the latest version of
webcalendar, which is due to be installed in the Debian FTP archive:

webcalendar_0.9.45-7.diff.gz
  to pool/main/w/webcalendar/webcalendar_0.9.45-7.diff.gz
webcalendar_0.9.45-7.dsc
  to pool/main/w/webcalendar/webcalendar_0.9.45-7.dsc
webcalendar_0.9.45-7_all.deb
  to pool/main/w/webcalendar/webcalendar_0.9.45-7_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 315671@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tim Peeler <thp@linuxforce.net> (supplier of updated webcalendar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri,  2 Sep 2005 13:26:38 +0000
Source: webcalendar
Binary: webcalendar
Architecture: source all
Version: 0.9.45-7
Distribution: unstable
Urgency: high
Maintainer: Tim Peeler <thp@linuxforce.net>
Changed-By: Tim Peeler <thp@linuxforce.net>
Description: 
 webcalendar - PHP-Based multi-user calendar
Closes: 315671
Changes: 
 webcalendar (0.9.45-7) unstable; urgency=high
 .
   * Real fix for CAN-2005-2717, previous fix was the wrong patch.
 .
 webcalendar (0.9.45-6) unstable; urgency=high
 .
   * Fixed a bug in assistant_edit.php that allows unauthorized access
     (closes: #315671)
Files: 
 9be0f00b86c3eb95d6e5139628cc37a6 596 web optional webcalendar_0.9.45-7.dsc
 2c6339212da49d2fa35a37e002591de1 10318 web optional webcalendar_0.9.45-7.diff.gz
 c0335b9bb0ffa280fe9fe333fe60f6c6 628450 web optional webcalendar_0.9.45-7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDKUDqSYIMHOpZA44RAt9mAJkBGessLfxLmZ84TS9gdf4Lts9VwACfZztt
1XOfdVz9L5LTG4OHvibL5dU=
=61aO
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 10:44:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:38:54 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.