Debian Bug report logs - #340323
horde3: horde 3.0.7 fixes cross site scripting

version graph

Package: horde3; Maintainer for horde3 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Martin Lohmeier <martin@mein-horde.de>

Date: Tue, 22 Nov 2005 17:48:08 UTC

Severity: important

Tags: security

Found in version horde3/3.0.4-4sarge1

Fixed in versions horde3/3.0.7-1, horde3/3.0.4-4sarge2

Done: Ola Lundqvist <opal@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#340323; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Martin Lohmeier <martin@mein-horde.de>:
New Bug report received and forwarded. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Martin Lohmeier <martin@mein-horde.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: horde3: horde 3.0.7 fixes cross site scripting
Date: Tue, 22 Nov 2005 18:41:11 +0100
Package: horde3
Version: 3.0.4-4sarge1
Severity: normal
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

horde 3.0.7 [1] fixes two cross site scripting.

bye, Martin

[1] http://lists.horde.org/archives/announce/2005/000232.html

- -- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.14
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDg1g3OvJj+wS6JuIRApfqAKC/15G0PR2pLswnIac/Vruv+RYgkACfZxXN
NrLSjjpCffZ3euzTBQ+AOF0=
=T8ts
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#340323; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to opal@debian.org:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #10 received at 340323@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: Martin Lohmeier <martin@mein-horde.de>, 340323@bugs.debian.org
Cc: control@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#340323: horde3: horde 3.0.7 fixes cross site scripting
Date: Tue, 22 Nov 2005 20:18:59 +0100
severity 340323 important
thanks

Is there any CVE number or similar that I can refer this to?

To the security team:
Is this important enough to fix for sarge?
I have prepared a package that I can upload of you want.

Regards,

// Ola

On Tue, Nov 22, 2005 at 06:41:11PM +0100, Martin Lohmeier wrote:
> Package: horde3
> Version: 3.0.4-4sarge1
> Severity: normal
> Tags: security
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> horde 3.0.7 [1] fixes two cross site scripting.
> 
> bye, Martin
> 
> [1] http://lists.horde.org/archives/announce/2005/000232.html
> 
> - -- System Information:
> Debian Release: 3.1
> Architecture: i386 (i686)
> Kernel: Linux 2.6.14
> Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> 
> iD8DBQFDg1g3OvJj+wS6JuIRApfqAKC/15G0PR2pLswnIac/Vruv+RYgkACfZxXN
> NrLSjjpCffZ3euzTBQ+AOF0=
> =T8ts
> -----END PGP SIGNATURE-----
> 
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Annebergsslingan 37      \
|  opal@lysator.liu.se                 654 65 KARLSTAD          |
|  +46 (0)54-10 14 30                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------



Severity set to `important'. Request was from Ola Lundqvist <opal@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#340323; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #17 received at 340323@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Ola Lundqvist <opal@debian.org>
Cc: Martin Lohmeier <martin@mein-horde.de>, 340323@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#340323: horde3: horde 3.0.7 fixes cross site scripting
Date: Tue, 22 Nov 2005 22:09:05 +0100
Ola Lundqvist wrote:
> Is there any CVE number or similar that I can refer this to?

Please use

======================================================
Name: CVE-2005-3759
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3759
Reference: MLIST:[horde-announce] 20051122 Horde 3.0.7 (final)
Reference: URL:http://lists.horde.org/archives/announce/2005/000232.html

Multiple cross-site scripting (XSS) vulnerabilities in Horde before
3.0.7 allow remote attackers to inject arbitrary web script or HTML
via the (1) gzip/tar and (2) css MIME viewers.

> To the security team:
> Is this important enough to fix for sarge?
> I have prepared a package that I can upload of you want.

We should try to fix XSS at least.  I'd appreciate the updated
packages.  Could you upload them to a debian.org host or drop
me a URL from where to download?

Regards,

	Joey

-- 
In the beginning was the word, and the word was content-type: text/plain

Please always Cc to me when replying to me on the lists.



Reply sent to Ola Lundqvist <opal@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Lohmeier <martin@mein-horde.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #22 received at 340323-close@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: 340323-close@bugs.debian.org
Subject: Bug#340323: fixed in horde3 3.0.7-1
Date: Tue, 22 Nov 2005 14:02:20 -0800
Source: horde3
Source-Version: 3.0.7-1

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.0.7-1.diff.gz
  to pool/main/h/horde3/horde3_3.0.7-1.diff.gz
horde3_3.0.7-1.dsc
  to pool/main/h/horde3/horde3_3.0.7-1.dsc
horde3_3.0.7-1_all.deb
  to pool/main/h/horde3/horde3_3.0.7-1_all.deb
horde3_3.0.7.orig.tar.gz
  to pool/main/h/horde3/horde3_3.0.7.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 340323@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ola Lundqvist <opal@debian.org> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 22 Nov 2005 22:45:59 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.0.7-1
Distribution: unstable
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Ola Lundqvist <opal@debian.org>
Description: 
 horde3     - horde web application framework
Closes: 340323
Changes: 
 horde3 (3.0.7-1) unstable; urgency=high
 .
   * New upstream release.
     This version fix cross site scripting vulnerabilities (CVE-2005-3759),
     closes: #340323.
Files: 
 7c76b240230b63e96aa6f96f702dc16a 615 web optional horde3_3.0.7-1.dsc
 a34304b1f1e704ca745caa728c929938 3746081 web optional horde3_3.0.7.orig.tar.gz
 8295da33ae6e3a7d1c14e5d4ec63afd6 7573 web optional horde3_3.0.7-1.diff.gz
 fd3ccac9a9dfa8d0d1dea5ef23f62509 3786064 web optional horde3_3.0.7-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDg5JEGKGxzw/lPdkRAojMAJ0TF892YzoGEGHksogIm4IabKgCDwCgkEO/
YipR6q1Isg2pXgXRvL3P3zQ=
=3obb
-----END PGP SIGNATURE-----




Reply sent to Ola Lundqvist <opal@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Lohmeier <martin@mein-horde.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #27 received at 340323-close@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: 340323-close@bugs.debian.org
Subject: Bug#340323: fixed in horde3 3.0.4-4sarge2
Date: Wed, 23 Nov 2005 03:47:06 -0800
Source: horde3
Source-Version: 3.0.4-4sarge2

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.0.4-4sarge2.diff.gz
  to pool/main/h/horde3/horde3_3.0.4-4sarge2.diff.gz
horde3_3.0.4-4sarge2.dsc
  to pool/main/h/horde3/horde3_3.0.4-4sarge2.dsc
horde3_3.0.4-4sarge2_all.deb
  to pool/main/h/horde3/horde3_3.0.4-4sarge2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 340323@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ola Lundqvist <opal@debian.org> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 22 Nov 2005 20:38:11 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.0.4-4sarge2
Distribution: stable-security
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Ola Lundqvist <opal@debian.org>
Description: 
 horde3     - horde web application framework
Closes: 340323
Changes: 
 horde3 (3.0.4-4sarge2) stable-security; urgency=high
 .
   * Applied fix for cross site scripting vulnerabilities from 3.0.7
     version of horde3 (CVE-2005-3759), closes: #340323.
Files: 
 27cf54c21d0c339df3365556e90c9ab1 627 web optional horde3_3.0.4-4sarge2.dsc
 522015d1367493bc630f00c4277f1489 7645 web optional horde3_3.0.4-4sarge2.diff.gz
 193fcb5f5c037a3a791bc81d29e9ab3f 3432280 web optional horde3_3.0.4-4sarge2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDg5LzGKGxzw/lPdkRAuY2AJ9/fQjBC6VYZUaiwnvf0VU4/0yCzwCfWGJZ
bUsWAlV089qPhpyWoq1/REM=
=TwkY
-----END PGP SIGNATURE-----




Reply sent to Ola Lundqvist <opal@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Lohmeier <martin@mein-horde.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 340323-close@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: 340323-close@bugs.debian.org
Subject: Bug#340323: fixed in horde3 3.0.4-4sarge2
Date: Fri, 16 Dec 2005 21:26:48 -0800
Source: horde3
Source-Version: 3.0.4-4sarge2

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.0.4-4sarge2.diff.gz
  to pool/main/h/horde3/horde3_3.0.4-4sarge2.diff.gz
horde3_3.0.4-4sarge2.dsc
  to pool/main/h/horde3/horde3_3.0.4-4sarge2.dsc
horde3_3.0.4-4sarge2_all.deb
  to pool/main/h/horde3/horde3_3.0.4-4sarge2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 340323@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ola Lundqvist <opal@debian.org> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 22 Nov 2005 20:38:11 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.0.4-4sarge2
Distribution: stable-security
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Ola Lundqvist <opal@debian.org>
Description: 
 horde3     - horde web application framework
Closes: 340323
Changes: 
 horde3 (3.0.4-4sarge2) stable-security; urgency=high
 .
   * Applied fix for cross site scripting vulnerabilities from 3.0.7
     version of horde3 (CVE-2005-3759), closes: #340323.
Files: 
 27cf54c21d0c339df3365556e90c9ab1 627 web optional horde3_3.0.4-4sarge2.dsc
 522015d1367493bc630f00c4277f1489 7645 web optional horde3_3.0.4-4sarge2.diff.gz
 193fcb5f5c037a3a791bc81d29e9ab3f 3432280 web optional horde3_3.0.4-4sarge2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDg5LzGKGxzw/lPdkRAuY2AJ9/fQjBC6VYZUaiwnvf0VU4/0yCzwCfWGJZ
bUsWAlV089qPhpyWoq1/REM=
=TwkY
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 21:48:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 04:18:03 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.