Debian Bug report logs - #378281
horde3: CVE-2006-3548 and CVE-2006-3549: multiple vulnerabilities

version graph

Package: horde3; Maintainer for horde3 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Alec Berryman <alec@thened.net>

Date: Sat, 15 Jul 2006 00:33:01 UTC

Severity: serious

Tags: security

Found in versions 3.0.4-4sarge4, 3.1.1-3

Fixed in version horde3/3.1.2-1

Done: Lionel Elie Mamane <lmamane@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#378281; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Alec Berryman <alec@thened.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Alec Berryman <alec@thened.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: horde3: CVE-2006-3548 and CVE-2006-3549: multiple vulnerabilities
Date: Fri, 14 Jul 2006 20:12:32 -0400
Package: horde3
Version: 3.0.4-4sarge4 3.1.1-3
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-3548: "Multiple cross-site scripting (XSS) vulnerabilities in
Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through
3.1.1 allow remote attackers to inject arbitrary web script or HTML via
a (1) javascript URI or an external (2) http, (3) https, or (4) ftp URI
in the url parameter in services/go.php (aka the dereferrer), (5) a
javascript URI in the module parameter in services/help (aka the help
viewer), and (6) the name parameter in services/problem.php (aka the
problem reporting screen)."

CVE-2006-3549: "services/go.php in Horde Application Framework 3.0.0
through 3.0.10 and 3.1.0 through 3.1.1 does not properly restrict its
image proxy capability, which allows remote attackers to perform "Web
tunneling" attacks and use the server as a proxy via (1) http, (2)
https, and (3) ftp URL in the url parameter, which is requested from the
server."

These issues are reportedly fixed in 3.1.11 and 3.1.2.  The two list
announcements, [1] and [2], may provide more detail, but I can't reach
lists.horde.org now.  I believe they are the same as [3] and [4].

Sarge's version is affected.

Please note the CVE numbers in your changelogs.

Thanks,

Alec

[1] http://lists.horde.org/archives/announce/2006/000287.html
[2] http://lists.horde.org/archives/announce/2006/000288.html
[3] http://marc.theaimsgroup.com/?l=horde-announce&m=115211712002671&w=2
[4] http://marc.theaimsgroup.com/?l=horde-announce&m=115211223405498&w=2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEuDLwAud/2YgchcQRAvfJAJ9MmPk+iO2tvHfA2E+aMO6qSJUYHQCfUT7v
wZ9yLl7AAyyHXvaSkttd4FU=
=HKNa
-----END PGP SIGNATURE-----



Reply sent to Lionel Elie Mamane <lmamane@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Alec Berryman <alec@thened.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 378281-close@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lmamane@debian.org>
To: 378281-close@bugs.debian.org
Subject: Bug#378281: fixed in horde3 3.1.2-1
Date: Sun, 16 Jul 2006 04:32:20 -0700
Source: horde3
Source-Version: 3.1.2-1

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.1.2-1.diff.gz
  to pool/main/h/horde3/horde3_3.1.2-1.diff.gz
horde3_3.1.2-1.dsc
  to pool/main/h/horde3/horde3_3.1.2-1.dsc
horde3_3.1.2-1_all.deb
  to pool/main/h/horde3/horde3_3.1.2-1_all.deb
horde3_3.1.2.orig.tar.gz
  to pool/main/h/horde3/horde3_3.1.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 378281@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Lionel Elie Mamane <lmamane@debian.org> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.7
Date: Sun, 16 Jul 2006 13:12:10 +0200
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.1.2-1
Distribution: unstable
Urgency: medium
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Lionel Elie Mamane <lmamane@debian.org>
Description: 
 horde3     - horde web application framework
Closes: 357377 373235 376526 378281
Changes: 
 horde3 (3.1.2-1) unstable; urgency=medium
 .
   * New upstream release.
     One of the following is true:
     - This release fixes security problems CVE-2006-3549 and CVE-2006-3548
     - These security problems were already fixed in the past in the Debian
       branch.
     - These security problems were already partially fixed in the past in
       the Debian version and this release mops up the rest.
     In all cases, closes: #378281
   * Tweak README.Debian and example config a bit (closes: #373235)
   * Make the PHP tempdir configurable instead of hardcoded in the weekly
     cleanup script (closes: #376526)
   * Put the CREDITS file where the online help viewer expects it
     (closes: #357377)
   * Bump up Standards-Version
Files: 
 0149ab05e7d45a8cb3a91cd91090d1f6 684 web optional horde3_3.1.2-1.dsc
 2c1f3e5759fa6bca07483d584151771f 5176353 web optional horde3_3.1.2.orig.tar.gz
 d53a26168741dff8e5824cbae9bb7ba2 9785 web optional horde3_3.1.2-1.diff.gz
 f4619366aaa6c501215cb22e8dcb225c 5197674 web optional horde3_3.1.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iEYEAREDAAYFAkS6H7sACgkQscRzFz57S3OVvACfbs5iC3AblxTjnh8k3VlngAhz
888AoPO098hkxwEs05LUCtFmJpiDpEIH
=aILs
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 18:37:17 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 04:51:44 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.