Debian Bug report logs - #512592
CVE-2008-5917: Cross-site scripting (XSS) vulnerability in the XSS filter

version graph

Package: horde3; Maintainer for horde3 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Raphael Geissert <atomo64@gmail.com>

Date: Thu, 22 Jan 2009 01:21:01 UTC

Severity: important

Tags: patch, security

Found in version horde3/3.2.2+debian0-1

Fixed in version horde3/3.2.2+debian0-2

Done: Gregory Colpart <reg@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#512592; Package horde3. (Thu, 22 Jan 2009 01:21:03 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <atomo64@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2008-5917: Cross-site scripting (XSS) vulnerability in the XSS filter
Date: Wed, 21 Jan 2009 19:18:24 -0600
[Message part 1 (text/plain, inline)]
Package: horde3
Version: 3.2.2+debian0-1
Severity: important
Tags: security patch

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was published for 
horde3.

CVE-2008-5917[1]:
> Cross-site scripting (XSS) vulnerability in the XSS filter
> (framework/Text_Filter/Filter/xss.php) in Horde Application Framework 3.2.2
> and 3.3, when Internet Explorer is being used, allows remote attackers to
> inject arbitrary web script or HTML via unknown vectors related to style
> attributes.

The changes made by upstream to fix this bug are available at [2].

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5917
     http://security-tracker.debian.net/tracker/CVE-2008-5917
[2]http://cvs.horde.org/diff.php/framework/Text_Filter/Filter/xss.php?r1=1.17&r2=1.18

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#512592; Package horde3. (Thu, 22 Jan 2009 01:36:02 GMT) Full text and rfc822 format available.

Message #6 received at 512592@bugs.debian.org (full text, mbox):

From: Raphael Geissert <atomo64@gmail.com>
To: 512592@bugs.debian.org
Subject: Re: CVE-2008-5917: Cross-site scripting (XSS) vulnerability in the XSS filter
Date: Wed, 21 Jan 2009 19:32:16 -0600
Just reviewed version in etch, and it appears to be affected as well.

The affected line in etch is 218.

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#512592; Package horde3. (Sun, 25 Jan 2009 02:30:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Sun, 25 Jan 2009 02:30:03 GMT) Full text and rfc822 format available.

Message #11 received at 512592@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: 512592@bugs.debian.org
Subject: Re: [pkg-horde] Bug#512592: CVE-2008-5917: Cross-site scripting (XSS) vulnerability in the XSS filter
Date: Sun, 25 Jan 2009 03:29:13 +0100
Hello,

On Wed, Jan 21, 2009 at 07:18:24PM -0600, Raphael Geissert wrote:
> 
> The following CVE (Common Vulnerabilities & Exposures) id was published for 
> horde3.
> 
> CVE-2008-5917[1]:
> > Cross-site scripting (XSS) vulnerability in the XSS filter
> > (framework/Text_Filter/Filter/xss.php) in Horde Application Framework 3.2.2
> > and 3.3, when Internet Explorer is being used, allows remote attackers to
> > inject arbitrary web script or HTML via unknown vectors related to style
> > attributes.
> 
> The changes made by upstream to fix this bug are available at [2].
> 
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5917
>      http://security-tracker.debian.net/tracker/CVE-2008-5917
> [2]http://cvs.horde.org/diff.php/framework/Text_Filter/Filter/xss.php?r1=1.17&r2=1.18

Note to avoid duplicate effort: I'm preparing packages/advisory.
I will request upload by debian-security next week.

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Reply sent to Gregory Colpart <reg@debian.org>:
You have taken responsibility. (Thu, 29 Jan 2009 01:57:02 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer. (Thu, 29 Jan 2009 01:57:02 GMT) Full text and rfc822 format available.

Message #16 received at 512592-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@debian.org>
To: 512592-close@bugs.debian.org
Subject: Bug#512592: fixed in horde3 3.2.2+debian0-2
Date: Thu, 29 Jan 2009 01:47:06 +0000
Source: horde3
Source-Version: 3.2.2+debian0-2

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.2.2+debian0-2.diff.gz
  to pool/main/h/horde3/horde3_3.2.2+debian0-2.diff.gz
horde3_3.2.2+debian0-2.dsc
  to pool/main/h/horde3/horde3_3.2.2+debian0-2.dsc
horde3_3.2.2+debian0-2_all.deb
  to pool/main/h/horde3/horde3_3.2.2+debian0-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 512592@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart <reg@debian.org> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 29 Jan 2009 01:15:51 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.2.2+debian0-2
Distribution: unstable
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart <reg@debian.org>
Description: 
 horde3     - horde web application framework
Closes: 512592 513265
Changes: 
 horde3 (3.2.2+debian0-2) unstable; urgency=high
 .
   * Add informations in README.Debian about test.php files: these files should
     not be "allow from all", because test.php includes private informations and
     could be unsafe (for example see CVE-2008-4182).
   * Include a patch from Horde upstream to fix an IE-only hole in XSS filter
     (See CVE-2008-5917 for more information). (Closes: #512592)
   * Include patches from Horde upstream to fix a file inclusion issue in
     Horde_Image driver name (Image/Image.php) and an unescaped output in
     the tag cloud block (services/portal/cloud_search.php). (Closes: #513265)
Checksums-Sha1: 
 4b8dcdac985d32f53fc43bafe80a72a863067dbc 1360 horde3_3.2.2+debian0-2.dsc
 29b2ff3287c0d505d3f2bbb5fcd6608c73ccb755 23856 horde3_3.2.2+debian0-2.diff.gz
 861b3314df8c0887148fd6fe4d847481d9a0aae2 7215490 horde3_3.2.2+debian0-2_all.deb
Checksums-Sha256: 
 8d1ea931167d20e47faa0751d021fabe09100212b76bb8152f7ce93aed47fb78 1360 horde3_3.2.2+debian0-2.dsc
 4e55e03dd7fc884d05a8d1b6b6b4bf660a771acdeebb97e6335050a324f7b41e 23856 horde3_3.2.2+debian0-2.diff.gz
 5efce58e08ac7b1f9779a31b71b226f0b719ffbd2cf41dd51b0e9b7cb71dbe62 7215490 horde3_3.2.2+debian0-2_all.deb
Files: 
 5a63857027659277189fb113731e6116 1360 web optional horde3_3.2.2+debian0-2.dsc
 bd040798ef3629b8a95c5c57773f6191 23856 web optional horde3_3.2.2+debian0-2.diff.gz
 12698e83f292061100570685bc647d01 7215490 web optional horde3_3.2.2+debian0-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmBBwQACgkQMhdcDcECeg7yJgCfcxf3GBsOTLrPOXXgPIgXXL/H
9CUAoIc5BmR6RrbvC48wB2OWB5nKgSgH
=UB8Q
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#512592; Package horde3. (Thu, 29 Jan 2009 03:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Thu, 29 Jan 2009 03:15:04 GMT) Full text and rfc822 format available.

Message #21 received at 512592@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: 512592@bugs.debian.org, 513265@bugs.debian.org
Subject: Debdiff for stable-security
Date: Thu, 29 Jan 2009 03:57:06 +0100
Hello,

Etch is also impacted by these bugs. Dediff is here:
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch4_3.1.3-4etch5.diff

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 02 Mar 2009 07:33:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 04:51:40 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.