Debian Bug report logs - #434045
horde3: Cross-site scripting (XSS) vulnerability

version graph

Package: horde3; Maintainer for horde3 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Steffen Joeris <white@debian.org>

Date: Sat, 21 Jul 2007 06:21:01 UTC

Severity: grave

Tags: security

Fixed in versions horde3/3.1.4-1, horde3/3.0.4-4sarge5, horde3/3.1.3-4etch1

Done: Gregory Colpart (evolix) <reg@evolix.fr>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#434045; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <white@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: horde3: Cross-site scripting (XSS) vulnerability
Date: Sat, 21 Jul 2007 16:21:08 +0200
Package: horde3
Severity: grave
Tags: security
Justification: user security hole

Hi mate

A possible security hole has been discovered in horde3.
The CVE[0] text says:


Cross-site scripting (XSS) vulnerability in framework/NLS/NLS.php
in Horde Framework before 3.1.4 RC1, when the login page contains
a language selection box, allows remote attackers to inject 
arbitrary web script or HTML via the new_lang parameter to login.php.

It states that all the versions in Debian are effected. Feel
free to downgrade the bug, if I am mistaken.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1473



Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#434045; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 434045@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: 434045@bugs.debian.org
Subject: Re: [pkg-horde] Bug#434045: horde3: Cross-site scripting (XSS) vulnerability
Date: Sun, 22 Jul 2007 05:47:06 +0200
On Sat, Jul 21, 2007 at 04:21:08PM +0200, Steffen Joeris wrote:
> 
> A possible security hole has been discovered in horde3.
> The CVE[0] text says:
> 
> Cross-site scripting (XSS) vulnerability in framework/NLS/NLS.php
> in Horde Framework before 3.1.4 RC1, when the login page contains
> a language selection box, allows remote attackers to inject 
> arbitrary web script or HTML via the new_lang parameter to login.php.
> 
> It states that all the versions in Debian are effected. Feel
> free to downgrade the bug, if I am mistaken.

I was wrong here[*], because an attacker could also inject data
in HTML code of all pages. Then we could imagine a lot of
attacks, for example a fake login/password <form>...
I am working on updated packages and warning security team.

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/



Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#434045; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 434045@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: team@security.debian.org
Cc: opal@debian.org, 434045@bugs.debian.org
Subject: security-bug informations for horde3 package
Date: Sun, 22 Jul 2007 09:06:48 +0200
Hello,

The package horde3 has XSS vulnerability (See CVE-2007-1473 and bug #434045).
Affected versions are:
- sarge version (3.0.4-4sarge4)
- etch version (3.1.3-4)
- tesing/unstable version (3.1.3-5)


Upstream patch is trivial
(http://bugs.horde.org/ticket/?id=4816):

8<----------------------------------
- } elseif (!empty($lang)) {
+ } elseif (!empty($lang) && NLS::isValid($lang)) {
8<----------------------------------


I prepared fixed packages:

- sarge version
http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge5.diff.gz
http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge5.dsc
http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge4_3.0.4-4sarge5.diff

- etch version
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch1.diff.gz
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch1.dsc
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4_3.1.3-4etch1.diff

- unstable version
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.4-1.diff.gz
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.4-1.dsc
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-5_3.1.4-1.diff

Note that I'm member of pkg-horde team but I'm not DD, then
I am waiting my sponsor upload unstable package.


If you want to test the vulnerability, you could go to:
http://<server>/horde3/?new_lang=%22%3E%3Cbody%20onload=%22alert%28'hello%20world'%29%3B
(I can provide you vulnerable URL in private if you want)


Information for the advisory:

8<----------------------------------
horde3 -- XSS vulnerability

Date Reported:
    ?? Jul 2007
Affected Packages:
    horde3
Vulnerable:
    Yes
Security database references:
    In Mitre's CVE dictionary: CVE-2007-1473
More information:

It was discovered that the Horde web application framework has a cross-site
scripting (XSS) vulnerability in framework/NLS/NLS.php, allows remote attackers
to inject arbitrary web script or HTML via the new_lang parameter.

The old stable distribution (sarge) this problem has been fixed in version 3.0.4-4sarge5.

For the stable distribution (etch) this problem has been fixed in version 3.1.3-4etch1.

For the unstable distribution (sid) this problem has been fixed in version 3.1.4-1.

We recommend that you upgrade your horde3 package.
8<----------------------------------


Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/



Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#434045; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to ola@opalsys.net:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 434045@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <ola@opalsys.net>
To: Gregory Colpart <reg@evolix.fr>
Cc: team@security.debian.org, 434045@bugs.debian.org
Subject: Re: security-bug informations for horde3 package
Date: Sun, 22 Jul 2007 14:14:54 +0200
Hi

What the attacker can do is the following:
* Set up a fake site.
* Trick some user to go to that site.
* Redirect the user to the real site and inject some fake login code or
  similar.

There are proof on security focus that it is possible:

[Base_HREF]/horde/[Horde_App]/login.php?new_lang=%22%3E%3Cbody%20onload=%22alert%28'XSS'%29%3B

I could not really understand how that is possible as the only place
where the code do not look like this:

isset($GLOBALS['nls']['rtl'][$GLOBALS['language']]

is in the mobild device handling code... However I have tested myself and
yes it is possible to do this kind of XSS things, so it must be some other
variable that is set somewhere.

In any case I'm uploading the sid version now.

Regards,

// Ola

On Sun, Jul 22, 2007 at 09:06:48AM +0200, Gregory Colpart wrote:
> Hello,
> 
> The package horde3 has XSS vulnerability (See CVE-2007-1473 and bug #434045).
> Affected versions are:
> - sarge version (3.0.4-4sarge4)
> - etch version (3.1.3-4)
> - tesing/unstable version (3.1.3-5)
> 
> 
> Upstream patch is trivial
> (http://bugs.horde.org/ticket/?id=4816):
> 
> 8<----------------------------------
> - } elseif (!empty($lang)) {
> + } elseif (!empty($lang) && NLS::isValid($lang)) {
> 8<----------------------------------
> 
> 
> I prepared fixed packages:
> 
> - sarge version
> http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge5.diff.gz
> http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge5.dsc
> http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge4_3.0.4-4sarge5.diff
> 
> - etch version
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch1.diff.gz
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch1.dsc
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4_3.1.3-4etch1.diff
> 
> - unstable version
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.4-1.diff.gz
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.4-1.dsc
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-5_3.1.4-1.diff
> 
> Note that I'm member of pkg-horde team but I'm not DD, then
> I am waiting my sponsor upload unstable package.
> 
> 
> If you want to test the vulnerability, you could go to:
> http://<server>/horde3/?new_lang=%22%3E%3Cbody%20onload=%22alert%28'hello%20world'%29%3B
> (I can provide you vulnerable URL in private if you want)
> 
> 
> Information for the advisory:
> 
> 8<----------------------------------
> horde3 -- XSS vulnerability
> 
> Date Reported:
>     ?? Jul 2007
> Affected Packages:
>     horde3
> Vulnerable:
>     Yes
> Security database references:
>     In Mitre's CVE dictionary: CVE-2007-1473
> More information:
> 
> It was discovered that the Horde web application framework has a cross-site
> scripting (XSS) vulnerability in framework/NLS/NLS.php, allows remote attackers
> to inject arbitrary web script or HTML via the new_lang parameter.
> 
> The old stable distribution (sarge) this problem has been fixed in version 3.0.4-4sarge5.
> 
> For the stable distribution (etch) this problem has been fixed in version 3.1.3-4etch1.
> 
> For the unstable distribution (sid) this problem has been fixed in version 3.1.4-1.
> 
> We recommend that you upgrade your horde3 package.
> 8<----------------------------------
> 
> 
> Regards,
> -- 
> Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
> Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
> 

-- 
 --- Ola Lundqvist systemkonsult --- M Sc in IT Engineering ----
/  ola@opalsys.net                   Annebergsslingan 37        \
|  opal@debian.org                   654 65 KARLSTAD            |
|  http://opalsys.net/               Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------



Reply sent to Gregory Colpart (evolix) <reg@evolix.fr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steffen Joeris <white@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 434045-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart (evolix) <reg@evolix.fr>
To: 434045-close@bugs.debian.org
Subject: Bug#434045: fixed in horde3 3.1.4-1
Date: Mon, 23 Jul 2007 07:02:03 +0000
Source: horde3
Source-Version: 3.1.4-1

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.1.4-1.diff.gz
  to pool/main/h/horde3/horde3_3.1.4-1.diff.gz
horde3_3.1.4-1.dsc
  to pool/main/h/horde3/horde3_3.1.4-1.dsc
horde3_3.1.4-1_all.deb
  to pool/main/h/horde3/horde3_3.1.4-1_all.deb
horde3_3.1.4.orig.tar.gz
  to pool/main/h/horde3/horde3_3.1.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 434045@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <reg@evolix.fr> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 16 Jul 2007 01:40:30 +0200
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.1.4-1
Distribution: unstable
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart (evolix) <reg@evolix.fr>
Description: 
 horde3     - horde web application framework
Closes: 420644 432237 434045
Changes: 
 horde3 (3.1.4-1) unstable; urgency=high
 .
   * New upstream release.
   * Transition to PHP5 for Recommends and Suggests fields. (Closes: #432237)
   * Remove old phpapi-* from Depends: (Closes: #420644)
   * Clean Depends, Recommends and Suggests fields.
   * Remove exec right for XML files in debian/rules.
   * Add locales in Recommends.
   * Disable upstream _detect_webroot() function (unsable in Debian).
   * Fix XSS vulnerability. See CVE-2007-1473 for more information.
     (Closes: #434045)
Files: 
 efeceaa75eed8844af702d591ff9277d 714 web optional horde3_3.1.4-1.dsc
 90bb96e810f165c2a853175303bd2dbb 5262198 web optional horde3_3.1.4.orig.tar.gz
 a44070d2a29e22bd2a6ecd98d71a7095 10872 web optional horde3_3.1.4-1.diff.gz
 4fd995b420a01fce25f5a09728812073 5288868 web optional horde3_3.1.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGpE+2GKGxzw/lPdkRAi8gAJ9RgCYgScKHOe/TmLO2dEA6jCJaMACgifZW
+GiryVhF7hfO9YO+4yqtU+g=
=JVn4
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#434045; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #30 received at 434045@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: team@security.debian.org
Cc: 434045@bugs.debian.org
Subject: Re: [pkg-horde] Bug#434045: security-bug informations for horde3 package
Date: Mon, 24 Sep 2007 09:51:39 +0200
Hello,

Here is a little "ping" to know if you intent to fix this
security issue[*] opened since july 2007.

[*] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=434045

Regards,

On Sun, Jul 22, 2007 at 09:06:48AM +0200, Gregory Colpart wrote:
> Hello,
> 
> The package horde3 has XSS vulnerability (See CVE-2007-1473 and bug #434045).
> Affected versions are:
> - sarge version (3.0.4-4sarge4)
> - etch version (3.1.3-4)
> - testing/unstable version (3.1.3-5)
> 
> 
> Upstream patch is trivial
> (http://bugs.horde.org/ticket/?id=4816):
> 
> 8<----------------------------------
> - } elseif (!empty($lang)) {
> + } elseif (!empty($lang) && NLS::isValid($lang)) {
> 8<----------------------------------
> 
> 
> I prepared fixed packages:
> 
> - sarge version
> http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge5.diff.gz
> http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge5.dsc
> http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge4_3.0.4-4sarge5.diff
> 
> - etch version
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch1.diff.gz
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch1.dsc
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4_3.1.3-4etch1.diff
> 
> - unstable version
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.4-1.diff.gz
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.4-1.dsc
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-5_3.1.4-1.diff
> 
> Note that I'm member of pkg-horde team but I'm not DD, then
> I am waiting my sponsor upload unstable package.
> 
> 
> If you want to test the vulnerability, you could go to:
> http://<server>/horde3/?new_lang=%22%3E%3Cbody%20onload=%22alert%28'hello%20world'%29%3B
> (I can provide you vulnerable URL in private if you want)
> 
> 
> Information for the advisory:
> 
> 8<----------------------------------
> horde3 -- XSS vulnerability
> 
> Date Reported:
>     ?? Jul 2007
> Affected Packages:
>     horde3
> Vulnerable:
>     Yes
> Security database references:
>     In Mitre's CVE dictionary: CVE-2007-1473
> More information:
> 
> It was discovered that the Horde web application framework has a cross-site
> scripting (XSS) vulnerability in framework/NLS/NLS.php, allows remote attackers
> to inject arbitrary web script or HTML via the new_lang parameter.
> 
> The old stable distribution (sarge) this problem has been fixed in version 3.0.4-4sarge5.
> 
> For the stable distribution (etch) this problem has been fixed in version 3.1.3-4etch1.
> 
> For the unstable distribution (sid) this problem has been fixed in version 3.1.4-1.
> 
> We recommend that you upgrade your horde3 package.
> 8<----------------------------------
> 
> 
> Regards,
> -- 
> Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
> Evolix - Informatique et Logiciels Libres http://www.evolix.fr/

-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Reply sent to Gregory Colpart (evolix) <reg@evolix.fr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steffen Joeris <white@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #35 received at 434045-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart (evolix) <reg@evolix.fr>
To: 434045-close@bugs.debian.org
Subject: Bug#434045: fixed in horde3 3.0.4-4sarge5
Date: Mon, 17 Dec 2007 19:52:46 +0000
Source: horde3
Source-Version: 3.0.4-4sarge5

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.0.4-4sarge5.diff.gz
  to pool/main/h/horde3/horde3_3.0.4-4sarge5.diff.gz
horde3_3.0.4-4sarge5.dsc
  to pool/main/h/horde3/horde3_3.0.4-4sarge5.dsc
horde3_3.0.4-4sarge5_all.deb
  to pool/main/h/horde3/horde3_3.0.4-4sarge5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 434045@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <reg@evolix.fr> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 22 Jul 2007 06:29:12 +0200
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.0.4-4sarge5
Distribution: oldstable-security
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Gregory Colpart (evolix) <reg@evolix.fr>
Description: 
 horde3     - horde web application framework
Closes: 434045
Changes: 
 horde3 (3.0.4-4sarge5) oldstable-security; urgency=high
 .
   * Fix XSS vulnerability. See CVE-2007-1473 for more information.
     (Closes: #434045)
Files: 
 bf4441c4e366ceedb7cb7dd5e38fd9c5 920 web optional horde3_3.0.4-4sarge5.dsc
 7b8ff47dcc0e0caf0187947f30f335b5 12423 web optional horde3_3.0.4-4sarge5.diff.gz
 a18955b79597d93bc5e012e444181177 3436914 web optional horde3_3.0.4-4sarge5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBRzHGNGz0hbPcukPfAQJOJQgAhG4OEjGdXQJJb6s8M3vuhyGV4MtIvv4r
1RZ3EVvsGm5UJ2heF5H0ToLmetVzGuqEjAwCvym1NZsloVg9Y1k7Y9pEe4WdGV0g
JQU2b5iw1B9FvNeQznTuxq5F4VCpMipvfv2+kMurt54DfR29BpO79rp0Bh1hauR1
tFYDnur1LYK5BYFJSP0LNbf4U+JfwfP0CIlB0j9N6HJGdn3VzCN12Srw8tNBfjxC
NWZlsmbKZcELoGuKcaKy+uBo/zSplXxA9s5h4Q/rc84gKTCeMhfqXDP6Vqauk+OU
i3GU24HRCMMg9ktOs7OEkjyeNMD/bzWZEyvQtlfCBPE4Nyrzg9WwWw==
=axap
-----END PGP SIGNATURE-----





Reply sent to Gregory Colpart (evolix) <reg@evolix.fr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steffen Joeris <white@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #40 received at 434045-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart (evolix) <reg@evolix.fr>
To: 434045-close@bugs.debian.org
Subject: Bug#434045: fixed in horde3 3.1.3-4etch1
Date: Thu, 20 Dec 2007 19:52:59 +0000
Source: horde3
Source-Version: 3.1.3-4etch1

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.1.3-4etch1.diff.gz
  to pool/main/h/horde3/horde3_3.1.3-4etch1.diff.gz
horde3_3.1.3-4etch1.dsc
  to pool/main/h/horde3/horde3_3.1.3-4etch1.dsc
horde3_3.1.3-4etch1_all.deb
  to pool/main/h/horde3/horde3_3.1.3-4etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 434045@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <reg@evolix.fr> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 22 Jul 2007 06:29:12 +0200
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.1.3-4etch1
Distribution: stable-security
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart (evolix) <reg@evolix.fr>
Description: 
 horde3     - horde web application framework
Closes: 434045
Changes: 
 horde3 (3.1.3-4etch1) stable-security; urgency=high
 .
   * Fix XSS vulnerability. See CVE-2007-1473 for more information.
     (Closes: #434045)
Files: 
 9fe3ec9d81a0d0c8ec6dd2ae3e14ed40 974 web optional horde3_3.1.3-4etch1.dsc
 fbc56c608ac81474b846b1b4b7bb5ee7 5232958 web optional horde3_3.1.3.orig.tar.gz
 84cad3aed2026c8a6358891897a15ee7 10633 web optional horde3_3.1.3-4etch1.diff.gz
 34a3af59a3469722ecf832948d390cea 5270226 web optional horde3_3.1.3-4etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBRzHHjWz0hbPcukPfAQK+ngf/dkAXl1bNvIjVblV7+vgBGg8S+HljuGnl
KXaTZEPwjzvZc3BbZfdULEogg29FClQwEbAKfr7S/s7NRF+EK87xwj7w2Mm6W3e/
cJkIDmEFkY/wSFh9liqKgj8xxLvuDqi88oMonxmZZyvxiSlWAq9+M/dERWj9OHjS
mF3AgaWn51pdDvz+7WPgBDpfh8JsWeRmdWLSTDNq/ZiwlikD7FyeDrk2TYcocWp9
CAURubIJwaFaMyxucnFfCnSmch+PMgnepCUQS7UZePSuxO6enldfUHa5yXVzyhvL
uKasUHjf8vzHaZAYseNv1sJNX+jPLJsJu+BxweehclhPhgTxPtm+/w==
=dEaQ
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 18 Jan 2008 07:31:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 06:48:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.