Debian Bug report logs - #492578
horde3: Small XSS/unescaped output in services/obrowser/index.php

version graph

Package: horde3; Maintainer for horde3 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Gregory Colpart <reg@evolix.fr>

Date: Sun, 27 Jul 2008 12:57:02 UTC

Severity: important

Tags: patch, security

Found in version horde3/3.1.3-4etch3

Fixed in version 3.1.3-4etch5

Done: Gregory Colpart <reg@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#492578; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
New Bug report received and forwarded. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: submit@bugs.debian.org
Subject: horde3: Small XSS/unescaped output in services/obrowser/index.php
Date: Sun, 27 Jul 2008 14:54:53 +0200
Package: horde3
Version: 3.1.3-4etch3
Severity: important
Tags: patch security

Hello,

There is a small XSS/unescaped output (only exploitable by
someone who can create a contact, and requiring the victim to
have access to that contact).

Patch inline:

Index: services/obrowser/index.php
===================================================================
RCS file: /repository/horde/services/obrowser/index.php,v
retrieving revision 1.18
diff -u -r1.18 index.php
--- services/obrowser/index.php 2 Jan 2008 11:13:57 -0000       1.18
+++ services/obrowser/index.php 13 Jun 2008 21:37:43 -0000
@@ -92,10 +92,10 @@
     if (!empty($values['browseable'])) {
         $url = Horde::url($registry->get('webroot', 'horde') . '/services/obrowser/');
         $url = Util::addParameter($url, 'path', $path);
-        $row['name'] = Horde::link($url) . $values['name'] . '</a>';
+        $row['name'] = Horde::link($url) . htmlspecialchars($values['name']) . '</a>';
     } else {
         $js = "return chooseObject('" . addslashes($path) . "');";
-        $row['name'] = Horde::link('#', sprintf(_("Choose %s"), $values['name']), '', '', $js) . $values['name'] . '</a>';
+        $row['name'] = Horde::link('#', sprintf(_("Choose %s"), $values['name']), '', '', $js) . htmlspecialchars($values['name']) . '</a>';
     }

     $rows[] = $row;

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#492578; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 492578@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Gregory Colpart <reg@evolix.fr>, 492578@bugs.debian.org
Subject: Re: Bug#492578: horde3: Small XSS/unescaped output in services/obrowser/index.php
Date: Sun, 27 Jul 2008 15:31:37 +0200
[Message part 1 (text/plain, inline)]
Hi Gregory,
* Gregory Colpart <reg@evolix.fr> [2008-07-27 15:23]:
> There is a small XSS/unescaped output (only exploitable by
> someone who can create a contact, and requiring the victim to
> have access to that contact).
[...] 
This seems to be already fixed in unstable. Which version 
did fix this? I can't see an old CVE id describing this 
problem, is a new CVE id needed for this one?

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#492578; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 492578@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: Nico Golde <nion@debian.org>
Cc: 492578@bugs.debian.org
Subject: Re: Bug#492578: horde3: Small XSS/unescaped output in services/obrowser/index.php
Date: Sun, 27 Jul 2008 15:52:30 +0200
Hi,

On Sun, Jul 27, 2008 at 03:31:37PM +0200, Nico Golde wrote:
> This seems to be already fixed in unstable.

Yes, sure! This issue is only for etch.


> Which version did fix this?

3.2.1+debian0-1 fixed it.


> I can't see an old CVE id describing this problem, is a new CVE
> id needed for this one?

There is no CVE id for it. I'm not sure Debian needs a new CVE id
because upstream said only Horde 3.2 and Turba 2.2 are affected
(this versions are *not* in Debian). Today I'm reviewing old
issues and I find Horde 3.1 could also be affected: I sent
mail to upstream to ask confirmation. I propose you to wait his
answer.


Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#492578; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 492578@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Gregory Colpart <reg@evolix.fr>, 492578@bugs.debian.org
Subject: Re: Bug#492578: horde3: Small XSS/unescaped output in services/obrowser/index.php
Date: Sun, 27 Jul 2008 17:38:20 +0200
[Message part 1 (text/plain, inline)]
Hi Gregory,
* Gregory Colpart <reg@evolix.fr> [2008-07-27 16:42]:
> On Sun, Jul 27, 2008 at 03:31:37PM +0200, Nico Golde wrote:
> > Which version did fix this?
> 
> 3.2.1+debian0-1 fixed it.

Thanks

> > I can't see an old CVE id describing this problem, is a new CVE
> > id needed for this one?
> 
> There is no CVE id for it. I'm not sure Debian needs a new CVE id
> because upstream said only Horde 3.2 and Turba 2.2 are affected
> (this versions are *not* in Debian).

But they were in the archive and other vendors might still have them in 
their archive. I also added 2.2.1-1 as the fixed version in 
the security tracker and requested a CVE id.

Cheers
Nico
P.S. Please mention such fixes as security fixes in the 
changelog next time so we can get them easier on our 
radars.

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#492578; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 492578@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: Nico Golde <nion@debian.org>
Cc: 492578@bugs.debian.org
Subject: Re: Bug#492578: horde3: Small XSS/unescaped output in services/obrowser/index.php
Date: Sun, 27 Jul 2008 17:48:50 +0200
Hi,

On Sun, Jul 27, 2008 at 05:38:20PM +0200, Nico Golde wrote:
> > > I can't see an old CVE id describing this problem, is a new CVE
> > > id needed for this one?
> > 
> > There is no CVE id for it. I'm not sure Debian needs a new CVE id
> > because upstream said only Horde 3.2 and Turba 2.2 are affected
> > (this versions are *not* in Debian).
> 
> But they were in the archive and other vendors might still have them in 
> their archive. I also added 2.2.1-1 as the fixed version in 
> the security tracker and requested a CVE id.

No, these versions were never in the archive.
But yes, other vendors could be affected.


> P.S. Please mention such fixes as security fixes in the 
> changelog next time so we can get them easier on our 
> radars.

Even if the version affected was not in Debian?


Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#492578; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #30 received at 492578@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Gregory Colpart <reg@evolix.fr>, 492578@bugs.debian.org
Subject: Re: Bug#492578: horde3: Small XSS/unescaped output in services/obrowser/index.php
Date: Sun, 27 Jul 2008 18:56:28 +0200
[Message part 1 (text/plain, inline)]
Hi Gregory,
* Gregory Colpart <reg@evolix.fr> [2008-07-27 18:49]:
> On Sun, Jul 27, 2008 at 05:38:20PM +0200, Nico Golde wrote:
> > > > I can't see an old CVE id describing this problem, is a new CVE
> > > > id needed for this one?
> > > 
> > > There is no CVE id for it. I'm not sure Debian needs a new CVE id
> > > because upstream said only Horde 3.2 and Turba 2.2 are affected
> > > (this versions are *not* in Debian).
> > 
> > But they were in the archive and other vendors might still have them in 
> > their archive. I also added 2.2.1-1 as the fixed version in 
> > the security tracker and requested a CVE id.
> 
> No, these versions were never in the archive.
> But yes, other vendors could be affected.

Now I am confused why you opened the bug report then :)
Anyway, every security issue should get a CVE id.
Even if no version in Debian was affected by this it helps 
us to track the security issue.

> > P.S. Please mention such fixes as security fixes in the 
> > changelog next time so we can get them easier on our 
> > radars.
> 
> Even if the version affected was not in Debian?

No, sure not. I just saw you mentioned it in the turba 
changelog (not as security fix) and not in the horde 
changelog.
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#492578; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #35 received at 492578@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 492578@bugs.debian.org
Subject: CVE id assigned
Date: Mon, 28 Jul 2008 00:33:14 +0200
[Message part 1 (text/plain, inline)]
Hi,
a CVE id has been assigned to this issue:

======================================================
Name: CVE-2008-3330
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3330
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492578

Cross-site scripting (XSS) vulnerability in
services/obrowser/index.php in Horde 3.2 and Turba 2.2 allows remote
attackers to inject arbitrary web script or HTML via the contact name.


Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#492578; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #40 received at 492578@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: 492578@bugs.debian.org
Cc: Nico Golde <nion@debian.org>
Subject: [chuck@horde.org: Re: [horde-vendor] Pending release of Horde 3.2.1 and Turba 2.2.1]
Date: Tue, 29 Jul 2008 21:26:16 +0200
Hi,

I've the confirmation from upstream that horde3 from stable is affected. 

Regards,

----- Forwarded message from Chuck Hagenbuch <chuck@horde.org> -----

Date: Mon, 28 Jul 2008 00:35:05 -0400
From: Chuck Hagenbuch <chuck@horde.org>
To: Gregory Colpart <reg@evolix.fr>
Subject: Re: [horde-vendor] Pending release of Horde 3.2.1 and Turba 2.2.1
Message-ID: <20080728003505.131045q34qn0lrwg@technest.org>
References: <20080613174043.17513zvzso5nca4g@technest.org>
	<20080727150729.onganohv@hamtrap.sc420.evolix.net>
User-Agent: Internet Messaging Program (IMP) H3 (5.0-cvs)

Quoting Gregory Colpart <reg@evolix.fr>:

>I'm reviewing this issue to see if Horde 3.1 and Turba 2.1 are
>affected. Here are the results:
>
>- Horde 3.1 seems to be concerned (your patch for
>  'services/obrowser/index.php' file just works).
>
>- Turba 2.1 is not. 'contact.php' file doesn't exist, code is in
>  'browse.php' and 'templates/browse/header.inc':
>
>browse.php:
>--8<--
>            $title = sprintf(_("Contacts in list: %s"),
>                             $list->getValue('name'));
>--8<--
>
>templates/browse/header.inc:
>--8<--
><h1 class="header">
> <?php echo htmlspecialchars($title) ?>
></h1>
>--8<--
>
>  I think Turba 2.1 is not affected.

Correct.

>Can you confirm me this results? If yes, do you think Horde 3.1
>needs be patched anyway?

We released Horde 3.1.8 at the same time as 3.2.1 for this reason.

-chuck


----- End forwarded message -----

-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#492578; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #45 received at 492578@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: Nico Golde <nion@debian.org>
Cc: 492578@bugs.debian.org
Subject: Re: Bug#492578: horde3: Small XSS/unescaped output in services/obrowser/index.php
Date: Sun, 17 Aug 2008 02:53:54 +0200
Hi,

On Sun, Jul 27, 2008 at 05:38:20PM +0200, Nico Golde wrote:
> P.S. Please mention such fixes as security fixes in the 
> changelog next time so we can get them easier on our 
> radars.

It will be on next upload in unstable:
http://arch.debian.org/cgi-bin/archzoom.cgi/pkg-horde-hackers@lists.alioth.debian.org--2006/horde--sid--3--patch-116/debian/changelog

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#492578; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #50 received at 492578@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: security@debian.org
Cc: 492578@bugs.debian.org, team@testing-security.debian.net
Subject: Fixed horde3 packages
Date: Sun, 17 Aug 2008 02:56:45 +0200
Hello,

The package horde3 has a vulnerability (See CVE-2008-3330 and
#492578).

I prepared fixed package for etch version (source package and
debdiff):
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch4.dsc
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch3_3.1.3-4etch4.diff

Information for the advisory:

8<----------------------------------
horde3 -- cross-site scripting vulnerability

Date Reported:
    ?? Aug 2008
Affected Packages:
    horde3
Vulnerable:
    Yes
Security database references:
    In Mitre's CVE dictionary: CVE-2008-3330
More information:

It was discovered that the Horde web application framework
has insufficient input sanitising in services/obrowser/index.php
(CVE-2008-3330).

For the stable distribution (etch) this problem has been fixed in version 3.1.3-4etch4.

The unstable distribution (sid) is not affected.

We recommend that you upgrade your horde3 package.
8<----------------------------------

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#492578; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #55 received at 492578@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Gregory Colpart <reg@evolix.fr>
Cc: security@debian.org, 492578@bugs.debian.org, team@testing-security.debian.net
Subject: Re: Fixed horde3 packages
Date: Sun, 17 Aug 2008 13:36:24 +0200
[Message part 1 (text/plain, inline)]
Hi Gregory,
* Gregory Colpart <reg@evolix.fr> [2008-08-17 13:20]:
> The package horde3 has a vulnerability (See CVE-2008-3330 and
> #492578).
> 
> I prepared fixed package for etch version (source package and
> debdiff):
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch4.dsc
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch3_3.1.3-4etch4.diff

Looks good to me. Thanks for the work. Feel free to upload 
this to security-master so someone from the stable team can 
release it.

[...] 
> For the stable distribution (etch) this problem has been fixed in version 3.1.3-4etch4.
> 
> The unstable distribution (sid) is not affected.

This is wrong, it is fixed in 3.2.1+debian0-1. Not affected 
is only used if the package in Debian was never affected 
because of a specific reason, like for example patched code. 
If a vulnerable version was never in unstable we still 
include version numbers for the tracker.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#492578; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #60 received at 492578@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: Nico Golde <nion@debian.org>
Cc: security@debian.org, 492578@bugs.debian.org, team@testing-security.debian.net
Subject: Re: Fixed horde3 packages
Date: Mon, 18 Aug 2008 19:23:36 +0200
Hi Nico,

On Sun, Aug 17, 2008 at 01:36:24PM +0200, Nico Golde wrote:
> > I prepared fixed package for etch version (source package and
> > debdiff):
> > http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch4.dsc
> > http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch3_3.1.3-4etch4.diff
> 
> Looks good to me. Thanks for the work. Feel free to upload 
> this to security-master so someone from the stable team can 
> release it.

Ok but IANyADD (currently in NM), then I think it's not yet relevant.


> [...] 
> > For the stable distribution (etch) this problem has been fixed in version 3.1.3-4etch4.
> > 
> > The unstable distribution (sid) is not affected.
> 
> This is wrong, it is fixed in 3.2.1+debian0-1. Not affected 
> is only used if the package in Debian was never affected 
> because of a specific reason, like for example patched code. 
> If a vulnerable version was never in unstable we still 
> include version numbers for the tracker.

Oops, I note that for my next draft of advisory!


Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Tags added: pending Request was from Gregory Colpart <reg@evolix.fr> to control@bugs.debian.org. (Tue, 19 Aug 2008 07:39:15 GMT) Full text and rfc822 format available.

Reply sent to Gregory Colpart <reg@evolix.fr>:
You have taken responsibility. (Sun, 26 Apr 2009 01:54:06 GMT) Full text and rfc822 format available.

Notification sent to Gregory Colpart <reg@evolix.fr>:
Bug acknowledged by developer. (Sun, 26 Apr 2009 01:54:06 GMT) Full text and rfc822 format available.

Message #67 received at 492578-done@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: 492578-done@bugs.debian.org
Subject: Fixed packages are uploaded
Date: Sun, 26 Apr 2009 03:52:04 +0200
Version: 3.1.3-4etch5

Fixed packages are uploaded.

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Reply sent to Gregory Colpart <reg@debian.org>:
You have taken responsibility. (Sat, 02 May 2009 20:00:16 GMT) Full text and rfc822 format available.

Notification sent to Gregory Colpart <reg@evolix.fr>:
Bug acknowledged by developer. (Sat, 02 May 2009 20:00:17 GMT) Full text and rfc822 format available.

Message #72 received at 492578-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@debian.org>
To: 492578-close@bugs.debian.org
Subject: Bug#492578: fixed in horde3 3.1.3-4etch5
Date: Sat, 02 May 2009 19:54:46 +0000
Source: horde3
Source-Version: 3.1.3-4etch5

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.1.3-4etch5.diff.gz
  to pool/main/h/horde3/horde3_3.1.3-4etch5.diff.gz
horde3_3.1.3-4etch5.dsc
  to pool/main/h/horde3/horde3_3.1.3-4etch5.dsc
horde3_3.1.3-4etch5_all.deb
  to pool/main/h/horde3/horde3_3.1.3-4etch5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 492578@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart <reg@debian.org> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 29 Jan 2009 03:17:37 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.1.3-4etch5
Distribution: oldstable-security
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart <reg@debian.org>
Description: 
 horde3     - horde web application framework
Closes: 492578 512592 513265
Changes: 
 horde3 (3.1.3-4etch5) oldstable-security; urgency=high
 .
   * Backport a patch from Horde upstream to fix an IE-only hole in XSS filter
    (See CVE-2008-5917 for more information). (Closes: #512592)
   * Backport a patch from Horde upstream to fix a file inclusion issue in
     Horde_Image driver name (Image/Image.php). (Closes: #513265)
   * Fix small XSS/unescaped output vulnerability in services/obrowser/index.php
     (see CVE-2008-3330 for more informations). (Closes: #492578)
Checksums-Sha1: 
 4737899db54692f66244a11d869172126b4fb998 1076 horde3_3.1.3-4etch5.dsc
 43dda35c02ec503fcbff42ee1f07187edb2bde24 13749 horde3_3.1.3-4etch5.diff.gz
 0be19171ea216a60ebd21c5bda24a6c25d363e03 5274074 horde3_3.1.3-4etch5_all.deb
Checksums-Sha256: 
 a245387839313fb208accc2bd018e19bc5be464cad1a6a269f43a0a866f493e2 1076 horde3_3.1.3-4etch5.dsc
 0b4f4fb788e890c4cb66bcb89a3ba6257ed397f98c230ecd2136a95057e7aab1 13749 horde3_3.1.3-4etch5.diff.gz
 6533c12f50134550558b54894536f32f66c455288ded8c730673bee1045ca0f6 5274074 horde3_3.1.3-4etch5_all.deb
Files: 
 c6082f3a21860b6b65b7edc4c58b0c07 1076 web optional horde3_3.1.3-4etch5.dsc
 d7ad332e2f535b9df1ab49bd9c7233fa 13749 web optional horde3_3.1.3-4etch5.diff.gz
 e4cfd0484345a153c33481101472a1fe 5274074 web optional horde3_3.1.3-4etch5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknY8iUACgkQMhdcDcECeg5ZGQCfSpIZtGiyXj+E1a22wtZIS7kE
+PgAn1BAMoGxJ0iJjLc/fWJqovUXY1Qv
=y3R8
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 31 May 2009 07:35:19 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 01:35:13 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.