Debian Bug report logs - #500553
CVE-2008-4182: XSS in imp4

version graph

Package: imp4; Maintainer for imp4 is Horde Maintainers <>;

Reported by: Steffen Joeris <>

Date: Mon, 29 Sep 2008 10:33:02 UTC

Severity: important

Tags: patch, security

Fixed in version imp4/4.2-3

Done: Gregory Colpart <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Horde Maintainers <>:
Bug#500553; Package imp4. (Mon, 29 Sep 2008 10:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <>:
New Bug report received and forwarded. Copy sent to Horde Maintainers <>. (Mon, 29 Sep 2008 10:33:05 GMT) Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Steffen Joeris <>
To: Debian Bug Tracking System <>
Subject: CVE-2008-4182: XSS in imp4
Date: Mon, 29 Sep 2008 20:00:13 +1000
Package: imp4
Severity: important
Tags: security, patch

the following CVE (Common Vulnerabilities & Exposures) id was
published for imp4.

| Cross-site scripting (XSS) vulnerability in imp/test.php in Horde
| Turba Contact Manager H3 2.2.1, and possibly other Horde Project
| products, allows remote attackers to inject arbitrary web script or
| HTML via the User field in an IMAP session.

The upstream patch for this issue can be found here[1]. Please address
this issue together with the turba2 XSS for lenny via migration from

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.


For further information see:


Reply sent to Gregory Colpart <>:
You have taken responsibility. (Sun, 05 Oct 2008 17:00:07 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <>:
Bug acknowledged by developer. (Sun, 05 Oct 2008 17:00:07 GMT) Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Gregory Colpart <>
Subject: Bug#500553: fixed in imp4 4.2-3
Date: Sun, 05 Oct 2008 16:47:07 +0000
Source: imp4
Source-Version: 4.2-3

We believe that the bug you reported is fixed in the latest version of
imp4, which is due to be installed in the Debian FTP archive:

  to pool/main/i/imp4/imp4_4.2-3.diff.gz
  to pool/main/i/imp4/imp4_4.2-3.dsc
  to pool/main/i/imp4/imp4_4.2-3_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Gregory Colpart <> (supplier of updated imp4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.8
Date: Sun, 05 Oct 2008 15:23:11 +0200
Source: imp4
Binary: imp4
Architecture: source all
Version: 4.2-3
Distribution: unstable
Urgency: medium
Maintainer: Horde Maintainers <>
Changed-By: Gregory Colpart <>
 imp4       - webmail component for horde framework
Closes: 500553
 imp4 (4.2-3) unstable; urgency=medium
   * Backport a patch from Horde CVS to escape output on test.php file. This
     fix could be considered as a minor XSS issue, see CVE-2008-4182.
     (Closes: #500553)
   * Change Gregory Colpart's email address in debian/control file.
 df32d3e8ff4d0fce3246b3c54c3c36c8d6169cc1 1091 imp4_4.2-3.dsc
 085c82a92c9058fac07f5ec7ac244fe7ce1b49c0 13581 imp4_4.2-3.diff.gz
 78e32e2ef764e927c0560566e8911aeddb0ae547 4930108 imp4_4.2-3_all.deb
 6fb0f912ad5c1ebff0037c440996184c250542753c9787a05eefca2df1b7bb25 1091 imp4_4.2-3.dsc
 9847e91b9762a1f27d76b938d6ba851a384d78198153c114c2f1842796650222 13581 imp4_4.2-3.diff.gz
 ec307f3d8b17ffa23b05db3ed864d7f3a2bc187a10b02389caca5860dc389d16 4930108 imp4_4.2-3_all.deb
 bb5e780fd436dcc546139f9acbf94f98 1091 web optional imp4_4.2-3.dsc
 afbcb8a5cdaf297839927cd34e85dcf1 13581 web optional imp4_4.2-3.diff.gz
 1b8e641a5e8353c6b15820d3789da4be 4930108 web optional imp4_4.2-3_all.deb

Version: GnuPG v1.4.9 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Sun, 09 Nov 2008 07:28:22 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Wed Apr 23 21:02:52 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.