Debian Bug report logs - #500553
CVE-2008-4182: XSS in imp4

version graph

Package: imp4; Maintainer for imp4 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Mon, 29 Sep 2008 10:33:02 UTC

Severity: important

Tags: patch, security

Fixed in version imp4/4.2-3

Done: Gregory Colpart <reg@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#500553; Package imp4. (Mon, 29 Sep 2008 10:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Mon, 29 Sep 2008 10:33:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2008-4182: XSS in imp4
Date: Mon, 29 Sep 2008 20:00:13 +1000
Package: imp4
Severity: important
Tags: security, patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for imp4.

CVE-2008-4182[0]:
| Cross-site scripting (XSS) vulnerability in imp/test.php in Horde
| Turba Contact Manager H3 2.2.1, and possibly other Horde Project
| products, allows remote attackers to inject arbitrary web script or
| HTML via the User field in an IMAP session.

The upstream patch for this issue can be found here[1]. Please address
this issue together with the turba2 XSS for lenny via migration from
unstable

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4182
    http://security-tracker.debian.net/tracker/CVE-2008-4182
[1] http://cvs.horde.org/diff.php/imp/test.php?r1=1.70&r2=1.71




Reply sent to Gregory Colpart <reg@debian.org>:
You have taken responsibility. (Sun, 05 Oct 2008 17:00:07 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Sun, 05 Oct 2008 17:00:07 GMT) Full text and rfc822 format available.

Message #10 received at 500553-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@debian.org>
To: 500553-close@bugs.debian.org
Subject: Bug#500553: fixed in imp4 4.2-3
Date: Sun, 05 Oct 2008 16:47:07 +0000
Source: imp4
Source-Version: 4.2-3

We believe that the bug you reported is fixed in the latest version of
imp4, which is due to be installed in the Debian FTP archive:

imp4_4.2-3.diff.gz
  to pool/main/i/imp4/imp4_4.2-3.diff.gz
imp4_4.2-3.dsc
  to pool/main/i/imp4/imp4_4.2-3.dsc
imp4_4.2-3_all.deb
  to pool/main/i/imp4/imp4_4.2-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 500553@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart <reg@debian.org> (supplier of updated imp4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 05 Oct 2008 15:23:11 +0200
Source: imp4
Binary: imp4
Architecture: source all
Version: 4.2-3
Distribution: unstable
Urgency: medium
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart <reg@debian.org>
Description: 
 imp4       - webmail component for horde framework
Closes: 500553
Changes: 
 imp4 (4.2-3) unstable; urgency=medium
 .
   * Backport a patch from Horde CVS to escape output on test.php file. This
     fix could be considered as a minor XSS issue, see CVE-2008-4182.
     (Closes: #500553)
   * Change Gregory Colpart's email address in debian/control file.
Checksums-Sha1: 
 df32d3e8ff4d0fce3246b3c54c3c36c8d6169cc1 1091 imp4_4.2-3.dsc
 085c82a92c9058fac07f5ec7ac244fe7ce1b49c0 13581 imp4_4.2-3.diff.gz
 78e32e2ef764e927c0560566e8911aeddb0ae547 4930108 imp4_4.2-3_all.deb
Checksums-Sha256: 
 6fb0f912ad5c1ebff0037c440996184c250542753c9787a05eefca2df1b7bb25 1091 imp4_4.2-3.dsc
 9847e91b9762a1f27d76b938d6ba851a384d78198153c114c2f1842796650222 13581 imp4_4.2-3.diff.gz
 ec307f3d8b17ffa23b05db3ed864d7f3a2bc187a10b02389caca5860dc389d16 4930108 imp4_4.2-3_all.deb
Files: 
 bb5e780fd436dcc546139f9acbf94f98 1091 web optional imp4_4.2-3.dsc
 afbcb8a5cdaf297839927cd34e85dcf1 13581 web optional imp4_4.2-3.diff.gz
 1b8e641a5e8353c6b15820d3789da4be 4930108 web optional imp4_4.2-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjo7W8ACgkQMhdcDcECeg5AfgCdHyp/5TJCVp6Cqzh5V6HmeGYB
XVAAnRzzuC2cj+K+hhg3+9Jdu7HJGVIC
=2XOE
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 09 Nov 2008 07:28:22 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 06:46:29 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.