Debian Bug report logs - #470640
horde3: CVE-2008-1284 file inclusion vulnerability

version graph

Package: horde3; Maintainer for horde3 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Nico Golde <nion@debian.org>

Date: Wed, 12 Mar 2008 12:30:02 UTC

Severity: grave

Tags: patch, security

Fixed in versions horde3/3.1.7-1, horde3/3.1.3-4etch3, horde3/3.0.4-4sarge7

Done: Gregory Colpart (evolix) <reg@evolix.fr>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#470640; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: horde3: CVE-2008-1284 file inclusion vulnerability
Date: Wed, 12 Mar 2008 13:27:49 +0100
[Message part 1 (text/plain, inline)]
Package: horde3
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for horde3.

CVE-2008-1284[0]:
| Directory traversal vulnerability in Horde 3.1.6, Groupware before
| 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with
| certain configurations, allows remote authenticated users to read and
| execute arbitrary files via ".." sequences and a null byte in the
| theme name.

Patch is on:
http://ftp.horde.org/pub/horde/patches/patch-horde-3.1.6-3.1.7.gz

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1284

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#470640; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 470640@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 470640@bugs.debian.org
Subject: intent to NMU
Date: Sat, 15 Mar 2008 02:36:59 +0100
[Message part 1 (text/plain, inline)]
Hi,
attached is a patch for an NMU fixing this issue.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/horde3-3.1.6-1_3.1.6-1.1.patch

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[horde3-3.1.6-1_3.1.6-1.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#470640; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 470640@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: Nico Golde <nion@debian.org>, 470640@bugs.debian.org
Subject: Re: [pkg-horde] Bug#470640: intent to NMU
Date: Sat, 15 Mar 2008 14:25:09 +0100
tag 470640 + pending
thanks

Hi,

On Sat, Mar 15, 2008 at 02:36:59AM +0100, Nico Golde wrote:
> attached is a patch for an NMU fixing this issue.
> It will be also archived on:
> http://people.debian.org/~nion/nmu-diff/horde3-3.1.6-1_3.1.6-1.1.patch

Note : I'm so sorry, I didn't mail you or tag "pending" this bug
(our ARCH repository doesn't tag BTS automatically).

For unstable, I have a "new upstream package" ready (I will ask
sponsoring for it in few minutes). For Etch and Sarge, I will
prepare patched packages if needed during this week-end.

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Tags added: pending Request was from Gregory Colpart <reg@evolix.fr> to control@bugs.debian.org. (Sat, 15 Mar 2008 13:27:21 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#470640; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #22 received at 470640@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: security@debian.org
Cc: 470640@bugs.debian.org, team@testing-security.debian.net
Subject: Fixed horde3 packages
Date: Sat, 15 Mar 2008 23:52:36 +0100
Hello,

The package horde3 has vulnerability (See CVE-2008-1284, bug
#470640 and changelogs of fixed sarge/etch/sid packages).

I prepared fixed packages:

- Sarge version (source package and debdiff):
http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge7.dsc
http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge6_3.0.4-4sarge7.diff

- Etch version (source package and debdiff):
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch3.dsc
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch2_3.1.3-4etch3.diff

- Sid version (source package and debdiff):
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.7-1.dsc
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.6-1_3.1.7-1.diff

[Note: I'm waiting sponsoring for sid package]


Information for the advisory:

8<----------------------------------
horde3 -- several vulenrabilities

Date Reported:
    ?? Mar 2008
Affected Packages:
    horde3
Vulnerable:
    Yes
Security database references:
    In Mitre's CVE dictionary: CVE-2008-1284
More information:

It was discovered that the Horde web application framework
permits arbitrary file inclusion through abuse of the theme
preference (CVE-2008-1284).

The old stable distribution (sarge) this problem has been fixed in version 3.0.4-4sarge7.

For the stable distribution (etch) this problem has been fixed in version 3.1.3-4etch3.

For the unstable distribution (sid) this problem has been fixed in version 3.1.7-1.

We recommend that you upgrade your horde3 package.
8<----------------------------------


Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#470640; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #27 received at 470640@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Gregory Colpart <reg@evolix.fr>
Cc: 470640@bugs.debian.org, team@testing-security.debian.net
Subject: Re: Fixed horde3 packages
Date: Sun, 16 Mar 2008 00:13:27 +0100
[Message part 1 (text/plain, inline)]
Hi Gregory,
* Gregory Colpart <reg@evolix.fr> [2008-03-15 23:56]:
[...] 
> - Sid version (source package and debdiff):
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.7-1.dsc
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.6-1_3.1.7-1.diff
> 
> [Note: I'm waiting sponsoring for sid package]

I can sponsor this today but please fix the copyright 
before. It is not listing the copyright holder, year etc.
Please see http://lists.debian.org/debian-devel-announce/2006/03/msg00023.html.

I don't want to violate the policy by this if I know about it :)
Please fix and I will upload it.
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#470640; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #32 received at 470640@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Gregory Colpart <reg@evolix.fr>
Cc: security@debian.org, 470640@bugs.debian.org, team@testing-security.debian.net
Subject: Re: Fixed horde3 packages
Date: Sun, 16 Mar 2008 00:14:23 +0100
[Message part 1 (text/plain, inline)]
Hi Gregory,

On Saturday 15 March 2008 23:52, Gregory Colpart wrote:
> - Sarge version (source package and debdiff):
> http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge7.dsc
> http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge6_3.0.4-4sarge7
>.diff
>
> - Etch version (source package and debdiff):
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch3.dsc
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch2_3.1.3-4etch3.d
>iff
>
> - Sid version (source package and debdiff):
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.7-1.dsc
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.6-1_3.1.7-1.diff

Thank you for your diligent and complete work on this! I've just uploaded all 
these versions to the respective archives and am preparing the DSA right now.


cheers,
Thijs
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Gregory Colpart (evolix) <reg@evolix.fr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #37 received at 470640-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart (evolix) <reg@evolix.fr>
To: 470640-close@bugs.debian.org
Subject: Bug#470640: fixed in horde3 3.1.7-1
Date: Sat, 15 Mar 2008 23:17:03 +0000
Source: horde3
Source-Version: 3.1.7-1

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.1.7-1.diff.gz
  to pool/main/h/horde3/horde3_3.1.7-1.diff.gz
horde3_3.1.7-1.dsc
  to pool/main/h/horde3/horde3_3.1.7-1.dsc
horde3_3.1.7-1_all.deb
  to pool/main/h/horde3/horde3_3.1.7-1_all.deb
horde3_3.1.7.orig.tar.gz
  to pool/main/h/horde3/horde3_3.1.7.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 470640@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <reg@evolix.fr> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 15 Mar 2008 14:00:34 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.1.7-1
Distribution: unstable
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart (evolix) <reg@evolix.fr>
Description: 
 horde3     - horde web application framework
Closes: 376935 470283 470640
Changes: 
 horde3 (3.1.7-1) unstable; urgency=high
 .
   * New upstream release.
   * This new version has security fix: fix arbitrary file inclusion through
     abuse of the theme preference (see CVE-2008-1284 for more informations).
     (Closes: #470640)
   * Fix typo in debian/rules comments.
   * Add php-net-imap package in "Suggests" field. (Closes: #470283)
   * Add libgeoip1 package in "Suggests" field. (Closes: #376935)
Files: 
 14d243b25373c84aa25f2bed8a830d53 1220 web optional horde3_3.1.7-1.dsc
 c0e693f88d95e395671abbff2ab6df53 5288106 web optional horde3_3.1.7.orig.tar.gz
 97b896348b65a9bd32fab1b0b7a28ead 11867 web optional horde3_3.1.7-1.diff.gz
 4e58243e7fbf92ead9c3ba2d53b4d2e8 5330396 web optional horde3_3.1.7-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9xVsWz0hbPcukPfAQJAZwf6AslkxvdbD3Tq8srDVa0bYZSR1/N221yd
lvjByIOfCYb+eT1QX9tvyJo4PyuLu2mK0xAyR3fVxt90pSKNuYkgNyV5IkwMSVO8
ZYEDc7xzsYkf7j/xyqV/TJKjwEVAKIiY5yKbG4CXXSO5XLJM4J1+Dzfg8amQMUH0
FPIqg/SytAWVxo/SW8R5qT8vhJEqGglsSbRzPv10vr0KrgGFyiz2RCQr4YhACC/M
JI7hN10cvwP6OYGSaixJuM3m/G8UqlneAEuQFxt/vWCLVCFvs/C1jq8m632wN5a5
R1yYRsElkLX73of/Z/yafX5+DmwFdXuU6igT1u98dbRGZt5OEW8YMA==
=nAVY
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#470640; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #42 received at 470640@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: Nico Golde <nion@debian.org>
Cc: 470640@bugs.debian.org, team@testing-security.debian.net, pkg-horde-hackers@lists.alioth.debian.org
Subject: Re: Fixed horde3 packages
Date: Sun, 16 Mar 2008 00:51:21 +0100
Hi,

On Sun, Mar 16, 2008 at 12:13:27AM +0100, Nico Golde wrote:
> 
> I can sponsor this today but please fix the copyright 
> before. It is not listing the copyright holder, year etc.
> Please see http://lists.debian.org/debian-devel-announce/2006/03/msg00023.html.

I'm aware of this copyright problem[*] which apply
for a lot of horde packages. I/We will fix them ASAP.

[*]http://lists.alioth.debian.org/pipermail/pkg-horde-hackers/2008-February/002067.html

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Reply sent to Gregory Colpart (evolix) <reg@evolix.fr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #47 received at 470640-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart (evolix) <reg@evolix.fr>
To: 470640-close@bugs.debian.org
Subject: Bug#470640: fixed in horde3 3.1.3-4etch3
Date: Fri, 21 Mar 2008 07:52:14 +0000
Source: horde3
Source-Version: 3.1.3-4etch3

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.1.3-4etch3.diff.gz
  to pool/main/h/horde3/horde3_3.1.3-4etch3.diff.gz
horde3_3.1.3-4etch3.dsc
  to pool/main/h/horde3/horde3_3.1.3-4etch3.dsc
horde3_3.1.3-4etch3_all.deb
  to pool/main/h/horde3/horde3_3.1.3-4etch3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 470640@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <reg@evolix.fr> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 15 Mar 2008 19:08:56 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.1.3-4etch3
Distribution: stable-security
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart (evolix) <reg@evolix.fr>
Description: 
 horde3     - horde web application framework
Closes: 470640
Changes: 
 horde3 (3.1.3-4etch3) stable-security; urgency=high
 .
   * Fix arbitrary file inclusion through abuse of the theme preference (see
     CVE-2008-1284 for more informations). (Closes: #470640
Files: 
 f8929682acb675550e4235c62a99cbe6 974 web optional horde3_3.1.3-4etch3.dsc
 d79fbe74794a4f6c70f208ba3a55bebc 13100 web optional horde3_3.1.3-4etch3.diff.gz
 d4a9a4db3744a2cd496ed499c39ec6b3 5270328 web optional horde3_3.1.3-4etch3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9xW32z0hbPcukPfAQLDvQf/ZCo39dkZINdsUdCB3FGYfmkqESY/HhSb
GXvgv76Z8/xC/4ADRXFw9lNdrkn74ADkb4kjU36isu85KbGAZ3tp5d0FSQiTkZyj
6VmZ5EAThq+NXk2eLsQNbtV777gTkd/uRu0TwFaj/jCMkrL/25slpdK+Kw+/s5m3
ZlTCyO5QO35sOXndyrUAgBLxuq21oQZK8ictU+8dvMNCOPEitoFGTNFjOiG41Kv3
gPy9zZdLpfi4ffONE4749yFa1vCR3kDRCL3+P8rlgpuYNak1IsXEN4PHKXJMt40M
H/16hMAcaoS7RX0e82pMvfN1n5xn+XkYft8esgEGPvxJXFxsN18CBQ==
=N1YO
-----END PGP SIGNATURE-----





Reply sent to Gregory Colpart (evolix) <reg@evolix.fr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #52 received at 470640-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart (evolix) <reg@evolix.fr>
To: 470640-close@bugs.debian.org
Subject: Bug#470640: fixed in horde3 3.0.4-4sarge7
Date: Fri, 21 Mar 2008 07:52:24 +0000
Source: horde3
Source-Version: 3.0.4-4sarge7

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.0.4-4sarge7.diff.gz
  to pool/main/h/horde3/horde3_3.0.4-4sarge7.diff.gz
horde3_3.0.4-4sarge7.dsc
  to pool/main/h/horde3/horde3_3.0.4-4sarge7.dsc
horde3_3.0.4-4sarge7_all.deb
  to pool/main/h/horde3/horde3_3.0.4-4sarge7_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 470640@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <reg@evolix.fr> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 15 Mar 2008 19:17:29 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.0.4-4sarge7
Distribution: oldstable-security
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Gregory Colpart (evolix) <reg@evolix.fr>
Description: 
 horde3     - horde web application framework
Closes: 470640
Changes: 
 horde3 (3.0.4-4sarge7) oldstable-security; urgency=high
 .
   * Fix arbitrary file inclusion through abuse of the theme preference (see
     CVE-2008-1284 for more informations). (Closes: #470640)
Files: 
 b3374347290398c40e95d94ca72f089c 920 web optional horde3_3.0.4-4sarge7.dsc
 01c1df81c247bf310367f50859ebb2ff 14280 web optional horde3_3.0.4-4sarge7.diff.gz
 4c4fa0aa9f5347785ca74f414165f934 3437956 web optional horde3_3.0.4-4sarge7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9xX42z0hbPcukPfAQLMlQf/YvXW5eFRtzjvnxq3WMO4k2Qgpv1bkqfu
M1KcDyY8dX5HwPrURoOhm17EGjSVMKMjZWh03TFFI3uvW24VCSUEJ6yhFir5StlS
qsSmaAIarVzM37BxhIpX4Iyz0fyvAPMbFl+p+dypVVKUdjgt0UF6HXpW4OJyuzQt
AIghLwYTEp5I2zcb4Ki+PYlkMFSZFRlQ8LaB/Fus3vBfgdB8U1wLZKMC7xNYXUVR
unwqoee0PF6Q4Voy4jdh04cj9vV0l5M/F9eL7Qq1TO5ICSyyM5T5stWvmrlkU/TG
+bOBNw6b0DbFuOpPTbQVNyEycvHXpNgOX08O/TzPmfK79WVnBmchSg==
=nxmh
-----END PGP SIGNATURE-----





Reply sent to Gregory Colpart (evolix) <reg@evolix.fr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #57 received at 470640-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart (evolix) <reg@evolix.fr>
To: 470640-close@bugs.debian.org
Subject: Bug#470640: fixed in horde3 3.0.4-4sarge7
Date: Sat, 12 Apr 2008 17:54:42 +0000
Source: horde3
Source-Version: 3.0.4-4sarge7

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.0.4-4sarge7.diff.gz
  to pool/main/h/horde3/horde3_3.0.4-4sarge7.diff.gz
horde3_3.0.4-4sarge7.dsc
  to pool/main/h/horde3/horde3_3.0.4-4sarge7.dsc
horde3_3.0.4-4sarge7_all.deb
  to pool/main/h/horde3/horde3_3.0.4-4sarge7_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 470640@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <reg@evolix.fr> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 15 Mar 2008 19:17:29 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.0.4-4sarge7
Distribution: oldstable-security
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Gregory Colpart (evolix) <reg@evolix.fr>
Description: 
 horde3     - horde web application framework
Closes: 470640
Changes: 
 horde3 (3.0.4-4sarge7) oldstable-security; urgency=high
 .
   * Fix arbitrary file inclusion through abuse of the theme preference (see
     CVE-2008-1284 for more informations). (Closes: #470640)
Files: 
 b3374347290398c40e95d94ca72f089c 920 web optional horde3_3.0.4-4sarge7.dsc
 01c1df81c247bf310367f50859ebb2ff 14280 web optional horde3_3.0.4-4sarge7.diff.gz
 4c4fa0aa9f5347785ca74f414165f934 3437956 web optional horde3_3.0.4-4sarge7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9xX42z0hbPcukPfAQLMlQf/YvXW5eFRtzjvnxq3WMO4k2Qgpv1bkqfu
M1KcDyY8dX5HwPrURoOhm17EGjSVMKMjZWh03TFFI3uvW24VCSUEJ6yhFir5StlS
qsSmaAIarVzM37BxhIpX4Iyz0fyvAPMbFl+p+dypVVKUdjgt0UF6HXpW4OJyuzQt
AIghLwYTEp5I2zcb4Ki+PYlkMFSZFRlQ8LaB/Fus3vBfgdB8U1wLZKMC7xNYXUVR
unwqoee0PF6Q4Voy4jdh04cj9vV0l5M/F9eL7Qq1TO5ICSyyM5T5stWvmrlkU/TG
+bOBNw6b0DbFuOpPTbQVNyEycvHXpNgOX08O/TzPmfK79WVnBmchSg==
=nxmh
-----END PGP SIGNATURE-----





Reply sent to Gregory Colpart (evolix) <reg@evolix.fr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #62 received at 470640-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart (evolix) <reg@evolix.fr>
To: 470640-close@bugs.debian.org
Subject: Bug#470640: fixed in horde3 3.1.3-4etch3
Date: Sat, 26 Jul 2008 09:40:37 +0000
Source: horde3
Source-Version: 3.1.3-4etch3

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.1.3-4etch3.diff.gz
  to pool/main/h/horde3/horde3_3.1.3-4etch3.diff.gz
horde3_3.1.3-4etch3.dsc
  to pool/main/h/horde3/horde3_3.1.3-4etch3.dsc
horde3_3.1.3-4etch3_all.deb
  to pool/main/h/horde3/horde3_3.1.3-4etch3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 470640@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <reg@evolix.fr> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 15 Mar 2008 19:08:56 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.1.3-4etch3
Distribution: stable-security
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart (evolix) <reg@evolix.fr>
Description: 
 horde3     - horde web application framework
Closes: 470640
Changes: 
 horde3 (3.1.3-4etch3) stable-security; urgency=high
 .
   * Fix arbitrary file inclusion through abuse of the theme preference (see
     CVE-2008-1284 for more informations). (Closes: #470640
Files: 
 f8929682acb675550e4235c62a99cbe6 974 web optional horde3_3.1.3-4etch3.dsc
 d79fbe74794a4f6c70f208ba3a55bebc 13100 web optional horde3_3.1.3-4etch3.diff.gz
 d4a9a4db3744a2cd496ed499c39ec6b3 5270328 web optional horde3_3.1.3-4etch3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9xW32z0hbPcukPfAQLDvQf/ZCo39dkZINdsUdCB3FGYfmkqESY/HhSb
GXvgv76Z8/xC/4ADRXFw9lNdrkn74ADkb4kjU36isu85KbGAZ3tp5d0FSQiTkZyj
6VmZ5EAThq+NXk2eLsQNbtV777gTkd/uRu0TwFaj/jCMkrL/25slpdK+Kw+/s5m3
ZlTCyO5QO35sOXndyrUAgBLxuq21oQZK8ictU+8dvMNCOPEitoFGTNFjOiG41Kv3
gPy9zZdLpfi4ffONE4749yFa1vCR3kDRCL3+P8rlgpuYNak1IsXEN4PHKXJMt40M
H/16hMAcaoS7RX0e82pMvfN1n5xn+XkYft8esgEGPvxJXFxsN18CBQ==
=N1YO
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Aug 2008 07:31:29 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 20:56:56 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.