Debian Bug report logs - #478121
kronolith2: XSS vulnerability

version graph

Package: kronolith2; Maintainer for kronolith2 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Gregory Colpart <reg@evolix.fr>

Date: Sun, 27 Apr 2008 10:30:01 UTC

Severity: important

Tags: security

Found in version kronolith2/2.1.4-1

Fixed in versions kronolith2/2.1.8-1, kronolith2/2.1.4-1etch1

Done: Gregory Colpart (evolix) <reg@evolix.fr>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#478121; Package kronolith2. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
New Bug report received and forwarded. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: submit@bugs.debian.org
Subject: kronolith2: XSS vulnerability
Date: Sun, 27 Apr 2008 12:26:49 +0200
Package: kronolith2
Version: 2.1.4-1
Severity: important
Tags: security

The package kronolith2 has XSS vulnerability. See:
http://forum.aria-security.com/showthread.php?t=49
https://bugs.gentoo.org/show_bug.cgi?id=219304

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#478121; Package kronolith2. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 478121@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: security@debian.org
Cc: 478121@bugs.debian.org, team@testing-security.debian.net
Subject: Fixed kronolith2 packages
Date: Sun, 27 Apr 2008 12:41:19 +0200
Hello,

The package kronolith2 has XSS vulnerability (see #478121).
Note I have private from upstream for coordination between
vendors (I can forward these mails if you want).

I prepared fixed packages:

- Etch version (source package and debdiff):
http://gcolpart.evolix.net/debian/kronolith2/kronolith2_2.1.4-1etch1.dsc
http://gcolpart.evolix.net/debian/kronolith2/kronolith2_2.1.4-1_2.1.4-1etch1.diff

- Sid version (source package and debdiff):
<not yet...I'm waiting Kronolith 2.1.8...>

*draft* of information for the advisory:

8<----------------------------------
kronolith2 -- XSS vulnerability

Date Reported:
    ?? Apr 2008
Affected Packages:
    kronolith2
Vulnerable:
    Yes
Security database references:
    In Mitre's CVE dictionary: CVE-2008-????
More information:

It was discovered that the Kronolith has XSS vulnerability
in the add event screen.

For the stable distribution (etch) this problem has been fixed in version 2.1.4-1etch1.

For the unstable distribution (sid) this problem *will be* fixed in version 2.1.8-1.

We recommend that you upgrade your kronolith2 package.
8<----------------------------------


Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#478121; Package kronolith2. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 478121@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: 478121@bugs.debian.org
Cc: security@debian.org, team@testing-security.debian.net
Subject: Re: [pkg-horde] Bug#478121: Fixed kronolith2 packages
Date: Mon, 28 Apr 2008 02:10:57 +0200
Update:

- Etch version (source package and debdiff):
http://gcolpart.evolix.net/debian/kronolith2/kronolith2_2.1.4-1etch1.dsc
http://gcolpart.evolix.net/debian/kronolith2/kronolith2_2.1.4-1_2.1.4-1etch1.diff

- Sid version (source package and debdiff):
http://gcolpart.evolix.net/debian/kronolith2/kronolith2_2.1.8-1.dsc
http://gcolpart.evolix.net/debian/kronolith2/kronolith2_2.1.7-1_2.1.8-1.diff

[Note: I'm waiting sponsoring for sid package]

Information for the advisory:

8<----------------------------------
kronolith2 -- XSS vulnerability

Date Reported:
    ?? Apr 2008
Affected Packages:
    kronolith2
Vulnerable:
    Yes
Security database references:
    In Mitre's CVE dictionary: CVE-2008-????
More information:

It was discovered that the Kronolith, calendar component for
Horde Framework, had a cross-site scripting vulnerability in the
add event screen. The input passed to the "url" parameter in the
file addevent.php was not properly sanitized.

For the stable distribution (etch) this problem has been fixed in version 2.1.4-1etch1.

For the unstable distribution (sid) this problem has been fixed in version 2.1.8-1.

We recommend that you upgrade your kronolith2 package.
8<----------------------------------


Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#478121; Package kronolith2. Full text and rfc822 format available.

Acknowledgement sent to opal@debian.org:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 478121@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: Gregory Colpart <reg@evolix.fr>, 478121@bugs.debian.org
Cc: security@debian.org, team@testing-security.debian.net
Subject: Re: [pkg-horde] Bug#478121: Bug#478121: Fixed kronolith2 packages
Date: Mon, 28 Apr 2008 10:16:12 +0200
Hi Gregory

Please upload to the usual place and I'll upload the sid package.

Best regards,

// Ola

On Mon, Apr 28, 2008 at 02:10:57AM +0200, Gregory Colpart wrote:
> Update:
> 
> - Etch version (source package and debdiff):
> http://gcolpart.evolix.net/debian/kronolith2/kronolith2_2.1.4-1etch1.dsc
> http://gcolpart.evolix.net/debian/kronolith2/kronolith2_2.1.4-1_2.1.4-1etch1.diff
> 
> - Sid version (source package and debdiff):
> http://gcolpart.evolix.net/debian/kronolith2/kronolith2_2.1.8-1.dsc
> http://gcolpart.evolix.net/debian/kronolith2/kronolith2_2.1.7-1_2.1.8-1.diff
> 
> [Note: I'm waiting sponsoring for sid package]
> 
> Information for the advisory:
> 
> 8<----------------------------------
> kronolith2 -- XSS vulnerability
> 
> Date Reported:
>     ?? Apr 2008
> Affected Packages:
>     kronolith2
> Vulnerable:
>     Yes
> Security database references:
>     In Mitre's CVE dictionary: CVE-2008-????
> More information:
> 
> It was discovered that the Kronolith, calendar component for
> Horde Framework, had a cross-site scripting vulnerability in the
> add event screen. The input passed to the "url" parameter in the
> file addevent.php was not properly sanitized.
> 
> For the stable distribution (etch) this problem has been fixed in version 2.1.4-1etch1.
> 
> For the unstable distribution (sid) this problem has been fixed in version 2.1.8-1.
> 
> We recommend that you upgrade your kronolith2 package.
> 8<----------------------------------
> 
> 
> Regards,
> -- 
> Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
> Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
> 
> 
> 
> _______________________________________________
> pkg-horde-hackers mailing list
> pkg-horde-hackers@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-horde-hackers
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Annebergsslingan 37      \
|  ola@inguza.com                      654 65 KARLSTAD          |
|  http://inguza.com/                  +46 (0)70-332 1551       |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#478121; Package kronolith2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 478121@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Gregory Colpart <reg@evolix.fr>
Cc: 478121@bugs.debian.org, security@debian.org, team@testing-security.debian.net
Subject: Re: [pkg-horde] Bug#478121: Fixed kronolith2 packages
Date: Mon, 28 Apr 2008 11:41:29 +0200
On Monday 28 April 2008 02:10, Gregory Colpart wrote:
> - Etch version (source package and debdiff):
> http://gcolpart.evolix.net/debian/kronolith2/kronolith2_2.1.4-1etch1.dsc
> http://gcolpart.evolix.net/debian/kronolith2/kronolith2_2.1.4-1_2.1.4-1etch
>1.diff

Thanks for your work, it looks good. I'll work on a DSA right away.


Thijs




Reply sent to Gregory Colpart (evolix) <reg@evolix.fr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Gregory Colpart <reg@evolix.fr>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 478121-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart (evolix) <reg@evolix.fr>
To: 478121-close@bugs.debian.org
Subject: Bug#478121: fixed in kronolith2 2.1.8-1
Date: Mon, 28 Apr 2008 10:32:02 +0000
Source: kronolith2
Source-Version: 2.1.8-1

We believe that the bug you reported is fixed in the latest version of
kronolith2, which is due to be installed in the Debian FTP archive:

kronolith2_2.1.8-1.diff.gz
  to pool/main/k/kronolith2/kronolith2_2.1.8-1.diff.gz
kronolith2_2.1.8-1.dsc
  to pool/main/k/kronolith2/kronolith2_2.1.8-1.dsc
kronolith2_2.1.8-1_all.deb
  to pool/main/k/kronolith2/kronolith2_2.1.8-1_all.deb
kronolith2_2.1.8.orig.tar.gz
  to pool/main/k/kronolith2/kronolith2_2.1.8.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 478121@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <reg@evolix.fr> (supplier of updated kronolith2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 28 Apr 2008 01:39:49 +0200
Source: kronolith2
Binary: kronolith2
Architecture: source all
Version: 2.1.8-1
Distribution: unstable
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart (evolix) <reg@evolix.fr>
Description: 
 kronolith2 - calendar component for Horde Framework
Closes: 478121
Changes: 
 kronolith2 (2.1.8-1) unstable; urgency=high
 .
   * New upstream release.
   * Fix XSS vulnerability in the add event screen. (Closes: #478121)
   * debian/copyright file improvements.
Checksums-Sha1: 
 0356f5e370ee907846e5852dbcfadd879d6f20f8 1351 kronolith2_2.1.8-1.dsc
 e60bdd72ab6576503a8adeb41921584fe297bf7b 1920783 kronolith2_2.1.8.orig.tar.gz
 66107d2904f8671d4dffab94eaca6c6bca8e50f9 5952 kronolith2_2.1.8-1.diff.gz
 0a8f03a1f31f9439a08dbcd2548cfb9b2ceb5d66 1925362 kronolith2_2.1.8-1_all.deb
Checksums-Sha256: 
 8df3ea23550bd7f6ed3f97f9e494d28cad5792193a395872c45918ed09d1b095 1351 kronolith2_2.1.8-1.dsc
 0d5c8cfb7ea5ef15b3f1fe4408ad668bdb9deaacdcefc186214954e452af2c9a 1920783 kronolith2_2.1.8.orig.tar.gz
 a0e6b2fb9a2c82958d663ed0e6258f60d264093926270655346f113e5b38cdbb 5952 kronolith2_2.1.8-1.diff.gz
 6d23f9caea07d11f3e5c47c17fade23a38c18e45cbafc706177d9bdce202d950 1925362 kronolith2_2.1.8-1_all.deb
Files: 
 15fafdf71ad41ad70ffc88d98fdd6763 1351 web optional kronolith2_2.1.8-1.dsc
 8970697f2eb41ce31b204d71f9c424e5 1920783 web optional kronolith2_2.1.8.orig.tar.gz
 1b4440fce111888fdb601c94c9da678e 5952 web optional kronolith2_2.1.8-1.diff.gz
 c2344ddb78600b40672495e2f9289ded 1925362 web optional kronolith2_2.1.8-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIFaXaHYflSXNkfP8RAiKdAJsHTKI9/0DT5tMuUNbKcFFJjLDm0gCeKNNv
/7DnqC8KOLoPuxb9c9RfCtU=
=bwiv
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#478121; Package kronolith2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #35 received at 478121@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Gregory Colpart <reg@evolix.fr>
Cc: 478121@bugs.debian.org, security@debian.org
Subject: Re: [pkg-horde] Bug#478121: Fixed kronolith2 packages
Date: Wed, 30 Apr 2008 16:53:41 +0200
[Message part 1 (text/plain, inline)]
Gregory,

On Monday 28 April 2008 02:10, Gregory Colpart wrote:
> - Etch version (source package and debdiff):
> http://gcolpart.evolix.net/debian/kronolith2/kronolith2_2.1.4-1etch1.dsc
> http://gcolpart.evolix.net/debian/kronolith2/kronolith2_2.1.4-1_2.1.4-1etch
>1.diff
>
> - Sid version (source package and debdiff):
> http://gcolpart.evolix.net/debian/kronolith2/kronolith2_2.1.8-1.dsc
> http://gcolpart.evolix.net/debian/kronolith2/kronolith2_2.1.7-1_2.1.8-1.dif
>f

This has been assigned CVE-2008-1974; could you include that retroactively in 
your changelogs for the versions above?


thanks,
Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#478121; Package kronolith2. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #40 received at 478121@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: 478121@bugs.debian.org, security@debian.org
Subject: Re: [pkg-horde] Bug#478121: Fixed kronolith2 packages
Date: Thu, 1 May 2008 00:09:05 +0200
On Wed, Apr 30, 2008 at 04:53:41PM +0200, Thijs Kinkhorst wrote:
> 
> This has been assigned CVE-2008-1974; could you include that retroactively in 
> your changelogs for the versions above?

Done in our repository:
http://arch.debian.org/cgi-bin/archzoom.cgi/pkg-horde-hackers@lists.alioth.debian.org--2006/kronolith--sid--2--patch-37/debian/changelog
http://arch.debian.org/cgi-bin/archzoom.cgi/pkg-horde-hackers@lists.alioth.debian.org--2006/kronolith--etch--2--patch-2/debian/changelog

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Reply sent to Gregory Colpart (evolix) <reg@evolix.fr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Gregory Colpart <reg@evolix.fr>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #45 received at 478121-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart (evolix) <reg@evolix.fr>
To: 478121-close@bugs.debian.org
Subject: Bug#478121: fixed in kronolith2 2.1.4-1etch1
Date: Sun, 04 May 2008 19:52:22 +0000
Source: kronolith2
Source-Version: 2.1.4-1etch1

We believe that the bug you reported is fixed in the latest version of
kronolith2, which is due to be installed in the Debian FTP archive:

kronolith2_2.1.4-1etch1.diff.gz
  to pool/main/k/kronolith2/kronolith2_2.1.4-1etch1.diff.gz
kronolith2_2.1.4-1etch1.dsc
  to pool/main/k/kronolith2/kronolith2_2.1.4-1etch1.dsc
kronolith2_2.1.4-1etch1_all.deb
  to pool/main/k/kronolith2/kronolith2_2.1.4-1etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 478121@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <reg@evolix.fr> (supplier of updated kronolith2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 27 Apr 2008 06:13:11 +0200
Source: kronolith2
Binary: kronolith2
Architecture: source all
Version: 2.1.4-1etch1
Distribution: stable-security
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart (evolix) <reg@evolix.fr>
Description: 
 kronolith2 - calendar component for Horde Framework
Closes: 478121
Changes: 
 kronolith2 (2.1.4-1etch1) stable-security; urgency=high
 .
   * Fix XSS vulnerability in the add event screen. (Closes: #478121)
Files: 
 bed4712a2341c3a5043c6e69ad6e8309 988 web optional kronolith2_2.1.4-1etch1.dsc
 df6d6fc99012865b18b089212c7544ad 1691114 web optional kronolith2_2.1.4.orig.tar.gz
 580890a3d47459f77dd89aa664ca4a44 5388 web optional kronolith2_2.1.4-1etch1.diff.gz
 d93492c52a99397b76f862705b7fd24e 1694916 web optional kronolith2_2.1.4-1etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSBWbdWz0hbPcukPfAQIYcwf7BtRzyN5ib6P3IRfYNtIbYZ7+14H/F/lD
fRFJbFf38mBIOhHmbgpqotzGT0yItCfFn2HRjN6FEg+hRj95i1Zg1bNPc/4oWnSF
LdWne9J0aFv/CgRMXna0PHMzOWVJrAioagW6hfCGWu8KM5NFVrHws6qePaxqmZg5
1rqfJgG31PKNoTS9quZNNPWahdk1L7EqeV7PFn85ECJDPd+hyMdFOvZO7LiwvIkt
niFPmdBT1/zoyR8L4JjCgAL2ufTrWSgj2OUcBLNfkZ7Ty1II99W1CBcCGWcV3S96
QjuPCdhSI37RKQTPLC633iorQ8fIK4jCrd4wtW/YtJWByMxohLKWqQ==
=aI4c
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 02 Jun 2008 07:29:34 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 00:46:42 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.