Debian Bug report logs - #500114
CVE-2008-4182: XSS in turba2

version graph

Package: turba2; Maintainer for turba2 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Thu, 25 Sep 2008 08:57:01 UTC

Severity: important

Tags: patch, security

Found in version turba2/2.1.3-1

Fixed in version turba2/2.2.1-2

Done: Gregory Colpart <reg@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#500114; Package turba2. (Thu, 25 Sep 2008 08:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Thu, 25 Sep 2008 08:57:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: submit@bugs.debian.org
Subject: CVE-2008-4182: XSS in turba2
Date: Thu, 25 Sep 2008 10:51:19 +0200
Package: turba2
Version: 2.1.3-1
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for turba2.

CVE-2008-4182[0]:
| Cross-site scripting (XSS) vulnerability in imp/test.php in Horde
| Turba Contact Manager H3 2.2.1, and possibly other Horde Project
| products, allows remote attackers to inject arbitrary web script or
| HTML via the User field in an IMAP session.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4182
    http://security-tracker.debian.net/tracker/CVE-2008-4182




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#500114; Package turba2. (Mon, 29 Sep 2008 10:33:21 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Mon, 29 Sep 2008 10:33:21 GMT) Full text and rfc822 format available.

Message #10 received at 500114@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: control@bugs.debian.org
Cc: 500114@bugs.debian.org
Subject: add upstream patch for XSS issue
Date: Mon, 29 Sep 2008 20:02:28 +1000
[Message part 1 (text/plain, inline)]
tags 500114 patch
thanks

Hi

There is an upstream patch for this issue[0]. Could you please make sure
it reaches lenny via migration from unstable? I guess for stable (etch), you 
could go via stable-proposed-updates.
Thanks in advance.

Cheers
Steffen

[0]: http://cvs.horde.org/diff.php/turba/test.php?r1=1.22&r2=1.23
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Steffen Joeris <steffen.joeris@skolelinux.de> to control@bugs.debian.org. (Mon, 29 Sep 2008 10:33:25 GMT) Full text and rfc822 format available.

Reply sent to Gregory Colpart <reg@debian.org>:
You have taken responsibility. (Sun, 05 Oct 2008 17:30:06 GMT) Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. (Sun, 05 Oct 2008 17:30:06 GMT) Full text and rfc822 format available.

Message #17 received at 500114-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@debian.org>
To: 500114-close@bugs.debian.org
Subject: Bug#500114: fixed in turba2 2.2.1-2
Date: Sun, 05 Oct 2008 17:17:04 +0000
Source: turba2
Source-Version: 2.2.1-2

We believe that the bug you reported is fixed in the latest version of
turba2, which is due to be installed in the Debian FTP archive:

turba2_2.2.1-2.diff.gz
  to pool/main/t/turba2/turba2_2.2.1-2.diff.gz
turba2_2.2.1-2.dsc
  to pool/main/t/turba2/turba2_2.2.1-2.dsc
turba2_2.2.1-2_all.deb
  to pool/main/t/turba2/turba2_2.2.1-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 500114@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart <reg@debian.org> (supplier of updated turba2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 05 Oct 2008 18:44:24 +0200
Source: turba2
Binary: turba2
Architecture: source all
Version: 2.2.1-2
Distribution: unstable
Urgency: medium
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart <reg@debian.org>
Description: 
 turba2     - contact management component for horde framework
Closes: 500114
Changes: 
 turba2 (2.2.1-2) unstable; urgency=medium
 .
   * Backport a patch from Horde CVS to escape output on test.php file. This
     fix could be considered as a minor XSS issue, see CVE-2008-4182.
     (Closes: #500114)
   * Change Gregory Colpart's email address in debian/control file.
   * Typo and very small modifications in debian/copyright file.
Checksums-Sha1: 
 1af22c529fd29f297c8fb8c814f9e3d1fbdfa36d 1307 turba2_2.2.1-2.dsc
 907ad9a6c1fa24dcee7749eed1283b1b2898eec8 9657 turba2_2.2.1-2.diff.gz
 d4aa7f740e44bde2e89bbc03ac0a147198b7cf75 2242130 turba2_2.2.1-2_all.deb
Checksums-Sha256: 
 128bcc721b142a161111948b0d4336bed6b5cc7de3cf062a17fc811d90308639 1307 turba2_2.2.1-2.dsc
 900385ec1a266185aaf85a6fe1bcc68966cc02cf8e9aa5d04cbfb5783620330c 9657 turba2_2.2.1-2.diff.gz
 4ac16a69c834891e4cb8dac93e16890de8e510828f1ce9f41aa1c3a98e9bb8d2 2242130 turba2_2.2.1-2_all.deb
Files: 
 ee13d9b1f4e791da1bb944d2d005a19f 1307 web optional turba2_2.2.1-2.dsc
 92daa6a34d973e8b7939edf3fb03303f 9657 web optional turba2_2.2.1-2.diff.gz
 d96826d1a34223f97cdc79cda4323fae 2242130 web optional turba2_2.2.1-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjo8ycACgkQMhdcDcECeg6CNQCfSO2dWXlIASj2UdyPjq50dj5d
oMEAoIRLPKz9zIusAY4mSKqGjbwv7nSm
=sA0V
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 03 Nov 2008 07:26:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 16:40:56 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.