Debian Bug report logs - #338983
horde2: New upstream version with security fix

version graph

Package: horde2; Maintainer for horde2 is (unknown);

Reported by: Soós Péter <sp@osb.hu>

Date: Mon, 14 Nov 2005 09:03:11 UTC

Severity: important

Tags: patch, security

Found in version horde2/2.2.8-1

Fixed in version horde2/2.2.9-1

Done: Ola Lundqvist <opal@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#338983; Package horde2. Full text and rfc822 format available.

Acknowledgement sent to Soós Péter <sp@osb.hu>:
New Bug report received and forwarded. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Soós Péter <sp@osb.hu>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: horde2: New upstream version with security fix
Date: Mon, 14 Nov 2005 09:45:39 +0100
Package: horde2
Version: 2.2.8-1
Severity: grave
Tags: security
Justification: user security hole

New upstream version v2.2.9 available to fix potential XSS vulnerability
due to not properly escaped error messages.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.14
Locale: LANG=en_US, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

Versions of packages horde2 depends on:
ii  apache2                      2.0.54-5    next generation, scalable, extenda
ii  apache2-mpm-prefork [httpd]  2.0.54-5    traditional model for Apache2
ii  binutils                     2.15-6      The GNU assembler, linker and bina
ii  debconf                      1.4.30.13   Debian configuration management sy
ii  gettext                      0.14.4-2    GNU Internationalization utilities
ii  logrotate                    3.7-5       Log rotation utility
ii  make                         3.80-9      The GNU version of the "make" util
ii  perl                         5.8.4-8     Larry Wall's Practical Extraction 
ii  php4                         4:4.3.10-16 server-side, HTML-embedded scripti
ii  php4-cgi                     4:4.3.10-16 server-side, HTML-embedded scripti
ii  php4-pear                    4:4.3.10-16 PEAR - PHP Extension and Applicati
ii  php4-pear-log                1.6.0-1.1   Log module for PEAR
ii  wwwconfig-common             0.0.43      Debian web auto configuration

-- debconf information excluded



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#338983; Package horde2. Full text and rfc822 format available.

Acknowledgement sent to opal@debian.org:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #10 received at 338983@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: Soós Péter <sp@osb.hu>, 338983@bugs.debian.org
Cc: team@security.debian.org, control@bugs.debian.org
Subject: Re: Bug#338983: horde2: New upstream version with security fix
Date: Mon, 14 Nov 2005 11:23:14 +0100
severity 338983 important
thanks

Hello

I assume that this applies to the sarge version as well.

I'm not sure this should be considered grave as this only can occur
when a fatal error occur.

This is the actual fix:
@@ -234,7 +234,7 @@
 
         $errortext = _("<b>A fatal error has occurred:</b>") . "<br /><br />\n";
         if (is_object($error) && method_exists($error, 'getMessage')) {
-            $errortext .= $error->getMessage() . "<br /><br />\n";
+            $errortext .= htmlspecialchars($error->getMessage()) . "<br /><br />\n";
         }
         $errortext .= sprintf(_("[line %s of %s]"), $line, $file);

I'm not even sure that this is possible to trigger without being logged
in. But still even logged in users should not be allowed to do such attacks.

And even one more thing is that the error message is not from the user, or
am I wrong here?

So really I'm not sure that this is even possible to trigger. As the
release note stated this is a potential XSS vulnerability.

On Mon, Nov 14, 2005 at 09:45:39AM +0100, Soós Péter wrote:
> Package: horde2
> Version: 2.2.8-1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> New upstream version v2.2.9 available to fix potential XSS vulnerability
> due to not properly escaped error messages.

Is there a CAN number for this? I could not find that in the release
notes.

Thanks anyway for reporting. It is valuable to know that new versions come
out with important fixes.

For me and the security team:
http://ftp.horde.org/pub/horde/patches/patch-horde-2.2.8-2.2.9.gz
http://lists.horde.org/archives/announce/2005/000231.html

Regards,

// Ola

> -- System Information:
> Debian Release: 3.1
> Architecture: i386 (i686)
> Kernel: Linux 2.6.14
> Locale: LANG=en_US, LC_CTYPE=hu_HU (charmap=ISO-8859-2)
> 
> Versions of packages horde2 depends on:
> ii  apache2                      2.0.54-5    next generation, scalable, extenda
> ii  apache2-mpm-prefork [httpd]  2.0.54-5    traditional model for Apache2
> ii  binutils                     2.15-6      The GNU assembler, linker and bina
> ii  debconf                      1.4.30.13   Debian configuration management sy
> ii  gettext                      0.14.4-2    GNU Internationalization utilities
> ii  logrotate                    3.7-5       Log rotation utility
> ii  make                         3.80-9      The GNU version of the "make" util
> ii  perl                         5.8.4-8     Larry Wall's Practical Extraction 
> ii  php4                         4:4.3.10-16 server-side, HTML-embedded scripti
> ii  php4-cgi                     4:4.3.10-16 server-side, HTML-embedded scripti
> ii  php4-pear                    4:4.3.10-16 PEAR - PHP Extension and Applicati
> ii  php4-pear-log                1.6.0-1.1   Log module for PEAR
> ii  wwwconfig-common             0.0.43      Debian web auto configuration
> 
> -- debconf information excluded
> 
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Annebergsslingan 37      \
|  opal@lysator.liu.se                 654 65 KARLSTAD          |
|  +46 (0)54-10 14 30                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------



Severity set to `important'. Request was from Ola Lundqvist <opal@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#338983; Package horde2. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #17 received at 338983@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 338983@bugs.debian.org
Subject: CVE assignment
Date: Fri, 18 Nov 2005 11:03:43 +0100
This has been assigned CVE-2005-3570, please mention it in the changelog
when fixing this.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#338983; Package horde2. Full text and rfc822 format available.

Acknowledgement sent to opal@debian.org:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #22 received at 338983@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 338983@bugs.debian.org
Subject: Re: Bug#338983: CVE assignment
Date: Fri, 18 Nov 2005 14:22:39 +0100
Thanks a lot!

I'll do that.

Regards,

// Ola

On Fri, Nov 18, 2005 at 11:03:43AM +0100, Moritz Muehlenhoff wrote:
> This has been assigned CVE-2005-3570, please mention it in the changelog
> when fixing this.
> 
> Cheers,
>         Moritz
> 
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Annebergsslingan 37      \
|  opal@lysator.liu.se                 654 65 KARLSTAD          |
|  +46 (0)54-10 14 30                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#338983; Package horde2. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #27 received at 338983@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Ola Lundqvist <opal@debian.org>
Cc: Soós Péter <sp@osb.hu>, 338983@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#338983: horde2: New upstream version with security fix
Date: Sun, 20 Nov 2005 09:15:47 +0100
Ola Lundqvist wrote:
> I assume that this applies to the sarge version as well.

It seems so.

> I'm not sure this should be considered grave as this only can occur
> when a fatal error occur.

Better be save than sorry, also error pages can be referenced.

> I'm not even sure that this is possible to trigger without being logged
> in. But still even logged in users should not be allowed to do such attacks.

Ack.

Please let me know the version number of the package in sid that'll fix
this problem.

Regards,

	Joey

-- 
Life is a lot easier when you have someone to share it with.  -- Sean Perry

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#338983; Package horde2. Full text and rfc822 format available.

Acknowledgement sent to opal@debian.org:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #32 received at 338983@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: team@security.debian.org, 338983@bugs.debian.org, Soós Péter <sp@osb.hu>, control@bugs.debian.org
Subject: Re: Bug#338983: horde2: New upstream version with security fix
Date: Mon, 21 Nov 2005 19:50:43 +0100
tags 338983 + patch
thanks

Hello

Fixed version uploaded now to unstable. Version 2.2.9-1.

Do you want me to prepare a sarge version as well? It is trivial to patch
with the information in the bug.

Regards,

// Ola

On Sun, Nov 20, 2005 at 09:15:47AM +0100, Martin Schulze wrote:
> Ola Lundqvist wrote:
> > I assume that this applies to the sarge version as well.
> 
> It seems so.
> 
> > I'm not sure this should be considered grave as this only can occur
> > when a fatal error occur.
> 
> Better be save than sorry, also error pages can be referenced.
> 
> > I'm not even sure that this is possible to trigger without being logged
> > in. But still even logged in users should not be allowed to do such attacks.
> 
> Ack.
> 
> Please let me know the version number of the package in sid that'll fix
> this problem.
> 
> Regards,
> 
> 	Joey
> 
> -- 
> Life is a lot easier when you have someone to share it with.  -- Sean Perry
> 
> Please always Cc to me when replying to me on the lists.
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Annebergsslingan 37      \
|  opal@lysator.liu.se                 654 65 KARLSTAD          |
|  +46 (0)54-10 14 30                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------



Tags added: patch Request was from Ola Lundqvist <opal@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Ola Lundqvist <opal@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Soós Péter <sp@osb.hu>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #39 received at 338983-close@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: 338983-close@bugs.debian.org
Subject: Bug#338983: fixed in horde2 2.2.9-1
Date: Mon, 21 Nov 2005 11:02:08 -0800
Source: horde2
Source-Version: 2.2.9-1

We believe that the bug you reported is fixed in the latest version of
horde2, which is due to be installed in the Debian FTP archive:

horde2_2.2.9-1.diff.gz
  to pool/main/h/horde2/horde2_2.2.9-1.diff.gz
horde2_2.2.9-1.dsc
  to pool/main/h/horde2/horde2_2.2.9-1.dsc
horde2_2.2.9-1_all.deb
  to pool/main/h/horde2/horde2_2.2.9-1_all.deb
horde2_2.2.9.orig.tar.gz
  to pool/main/h/horde2/horde2_2.2.9.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 338983@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ola Lundqvist <opal@debian.org> (supplier of updated horde2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 21 Nov 2005 20:03:22 +0100
Source: horde2
Binary: horde2
Architecture: source all
Version: 2.2.9-1
Distribution: unstable
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Ola Lundqvist <opal@debian.org>
Description: 
 horde2     - horde web application suite
Closes: 338983
Changes: 
 horde2 (2.2.9-1) unstable; urgency=high
 .
   * New upstream release.
     This release fix a cross site scripting vulnerability (CVE-2005-3570),
     closes: #338983.
Files: 
 3ef2d764423af157b6ccd03271ec287b 563 web optional horde2_2.2.9-1.dsc
 0d1a8a52ee69307fe2d687edd0b1c3c8 683026 web optional horde2_2.2.9.orig.tar.gz
 3d18604e6014112ae9f9a1dc8172dbc9 59567 web optional horde2_2.2.9-1.diff.gz
 d74d1ea1853a3213335f36719ce1958f 528996 web optional horde2_2.2.9-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDghp3GKGxzw/lPdkRAhQgAJ9jxpJmbdEamOhJPyj8F+XbjzLhJgCfTMRr
b9TECUZxUOozfWq1HUu99Xo=
=tHXE
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 19 Jun 2007 02:57:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 21:19:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.