Debian Bug report logs - #536554
CVE-2009-2360: Cross-site scripting vulnerability

version graph

Package: sork-passwd-h3; Maintainer for sork-passwd-h3 is Debian Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Sat, 11 Jul 2009 05:33:02 UTC

Severity: grave

Tags: patch, security

Fixed in versions sork-passwd-h3/3.1-1.1, sork-passwd-h3/3.0-2+lenny1, sork-passwd-h3/3.0-2+etch1

Done: Steffen Joeris <white@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#536554; Package sork-passwd-h3. (Sat, 11 Jul 2009 05:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Sat, 11 Jul 2009 05:33:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-2360: Cross-site scripting vulnerability
Date: Sat, 11 Jul 2009 15:31:56 +1000
Package: sork-passwd-h3
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for sork-passwd-h3.

CVE-2009-2360[0]:
| Cross-site scripting (XSS) vulnerability in passwd/main.php in the
| Passwd module before 3.1.1 for Horde allows remote attackers to inject
| arbitrary web script or HTML via the backend parameter.

The upstream patch can be found here[1].

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2360
    http://security-tracker.debian.net/tracker/CVE-2009-2360
[1] http://bugs.horde.org/ticket/8398




Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. (Sat, 11 Jul 2009 06:54:07 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Sat, 11 Jul 2009 06:54:08 GMT) Full text and rfc822 format available.

Message #10 received at 536554-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 536554-close@bugs.debian.org
Subject: Bug#536554: fixed in sork-passwd-h3 3.1-1.1
Date: Sat, 11 Jul 2009 06:32:05 +0000
Source: sork-passwd-h3
Source-Version: 3.1-1.1

We believe that the bug you reported is fixed in the latest version of
sork-passwd-h3, which is due to be installed in the Debian FTP archive:

sork-passwd-h3_3.1-1.1.diff.gz
  to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.1-1.1.diff.gz
sork-passwd-h3_3.1-1.1.dsc
  to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.1-1.1.dsc
sork-passwd-h3_3.1-1.1_all.deb
  to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.1-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 536554@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated sork-passwd-h3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 11 Jul 2009 06:02:56 +0000
Source: sork-passwd-h3
Binary: sork-passwd-h3
Architecture: source all
Version: 3.1-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 sork-passwd-h3 - Horde3 module for users to change their password
Closes: 536554
Changes: 
 sork-passwd-h3 (3.1-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix XSS via the backend parameter (Closes: #536554)
     Fixes: CVE-2009-2360
Checksums-Sha1: 
 46325f67f6816128ef56cc80a806d2b3ef4c29ee 1314 sork-passwd-h3_3.1-1.1.dsc
 9394c534063d5f3d23293f85f59e443e31095f03 8968 sork-passwd-h3_3.1-1.1.diff.gz
 f4e0e9f5b1f4293a2c57b693ffc68d996a8cd254 1424154 sork-passwd-h3_3.1-1.1_all.deb
Checksums-Sha256: 
 9776761da54a7c5604a7624c7ddb9c29df2ab2c6e3cc9bf6b673bb81f9d3e9a7 1314 sork-passwd-h3_3.1-1.1.dsc
 e838762e350a76780fb8efa48897e6fb10ae4b55613b2b3d80ed9304e6bb7532 8968 sork-passwd-h3_3.1-1.1.diff.gz
 27b6ed55e5cd7794812f0e33b92dca2145b966f38656bac759737cd397b88e1d 1424154 sork-passwd-h3_3.1-1.1_all.deb
Files: 
 6c420a0cd82ff2d3dfc6a0842bac394d 1314 web optional sork-passwd-h3_3.1-1.1.dsc
 09585405aba4d60706c85e355dc3a6f0 8968 web optional sork-passwd-h3_3.1-1.1.diff.gz
 d0e9551225d11475c61ec8c62dcb5ea3 1424154 web optional sork-passwd-h3_3.1-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpYL3sACgkQ62zWxYk/rQfEXgCcC4dP5Gkr7MG2anAmGjRI04Ie
oBsAn04n/l/bQLWICUejm7q/3KfAh5KD
=iGkc
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#536554; Package sork-passwd-h3. (Sat, 11 Jul 2009 07:57:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Debian Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Sat, 11 Jul 2009 07:57:02 GMT) Full text and rfc822 format available.

Message #15 received at 536554@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 536554@bugs.debian.org
Subject: nmu patch
Date: Sat, 11 Jul 2009 17:39:55 +1000
[Message part 1 (text/plain, inline)]
Hi

Attached is the full nmu patch.

Cheers
Steffen
[nmu.diff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. (Sat, 11 Jul 2009 14:27:03 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Sat, 11 Jul 2009 14:27:03 GMT) Full text and rfc822 format available.

Message #20 received at 536554-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 536554-close@bugs.debian.org
Subject: Bug#536554: fixed in sork-passwd-h3 3.0-2+lenny1
Date: Sat, 11 Jul 2009 13:55:41 +0000
Source: sork-passwd-h3
Source-Version: 3.0-2+lenny1

We believe that the bug you reported is fixed in the latest version of
sork-passwd-h3, which is due to be installed in the Debian FTP archive:

sork-passwd-h3_3.0-2+lenny1.diff.gz
  to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+lenny1.diff.gz
sork-passwd-h3_3.0-2+lenny1.dsc
  to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+lenny1.dsc
sork-passwd-h3_3.0-2+lenny1_all.deb
  to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 536554@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated sork-passwd-h3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 11 Jul 2009 06:31:33 +0000
Source: sork-passwd-h3
Binary: sork-passwd-h3
Architecture: source all
Version: 3.0-2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 sork-passwd-h3 - Horde3 module for users to change their password
Closes: 536554
Changes: 
 sork-passwd-h3 (3.0-2+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix XSS in backend parameter (Closes: #536554)
     Fixes: CVE-2009-2360
Checksums-Sha1: 
 70a9aca3929cf2fca68ce41b6f04bd4cfa1aab56 1134 sork-passwd-h3_3.0-2+lenny1.dsc
 e2648e109913bc374a3813952a1e509dcd5a038e 8075 sork-passwd-h3_3.0-2+lenny1.diff.gz
 54b7f216d8b4762fde37dcc38e89838fd1850559 936656 sork-passwd-h3_3.0-2+lenny1_all.deb
Checksums-Sha256: 
 251ee549e8597fbad582a5719a204c1308a89c912359c44ea0b72bfaa4ddafc7 1134 sork-passwd-h3_3.0-2+lenny1.dsc
 498e9c1c0a7251473ad01ac39f046bb3df58740d59e6e409b90d0b76383f2aff 8075 sork-passwd-h3_3.0-2+lenny1.diff.gz
 ae82226cc1823d7cfcd99914796c5c5ceecff16bef55b386b07514718af12791 936656 sork-passwd-h3_3.0-2+lenny1_all.deb
Files: 
 21cddfb0875a3513716238b2482c8f48 1134 web optional sork-passwd-h3_3.0-2+lenny1.dsc
 ac8d69e8612a96eeb18f3d68960dfaa2 8075 web optional sork-passwd-h3_3.0-2+lenny1.diff.gz
 b931e5db33decf642d8911f01b5656a1 936656 web optional sork-passwd-h3_3.0-2+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpYNVIACgkQ62zWxYk/rQfyTwCfVnMJfZ+NQhlxt3FHFqoQJTxh
hN8AoLTmsAo9G4w3k7picuU6EbHBOjnm
=4lKJ
-----END PGP SIGNATURE-----





Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. (Mon, 13 Jul 2009 20:21:09 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Mon, 13 Jul 2009 20:21:10 GMT) Full text and rfc822 format available.

Message #25 received at 536554-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 536554-close@bugs.debian.org
Subject: Bug#536554: fixed in sork-passwd-h3 3.0-2+etch1
Date: Mon, 13 Jul 2009 19:53:56 +0000
Source: sork-passwd-h3
Source-Version: 3.0-2+etch1

We believe that the bug you reported is fixed in the latest version of
sork-passwd-h3, which is due to be installed in the Debian FTP archive:

sork-passwd-h3_3.0-2+etch1.diff.gz
  to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+etch1.diff.gz
sork-passwd-h3_3.0-2+etch1.dsc
  to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+etch1.dsc
sork-passwd-h3_3.0-2+etch1_all.deb
  to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 536554@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated sork-passwd-h3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 11 Jul 2009 08:36:29 +0200
Source: sork-passwd-h3
Binary: sork-passwd-h3
Architecture: source all
Version: 3.0-2+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 sork-passwd-h3 - Horde3 module for users to change their password
Closes: 536554
Changes: 
 sork-passwd-h3 (3.0-2+etch1) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix XSS in backend parameter (Closes: #536554)
     Fixes: CVE-2009-2360
Files: 
 9c114c8b4abf6db6b91a94f4e0359f77 722 web optional sork-passwd-h3_3.0-2+etch1.dsc
 ca5612500c91c4ef3c838e8e94376332 966096 web optional sork-passwd-h3_3.0.orig.tar.gz
 f8bdcfd6195df252914144f2a9e78869 8070 web optional sork-passwd-h3_3.0-2+etch1.diff.gz
 8827158aa7959c230edd2f264061309d 936654 web optional sork-passwd-h3_3.0-2+etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpYM8oACgkQ62zWxYk/rQea5ACeIG1aDbaxo8vGRTpkPBVLJd1B
HT0An3n3cmn4tUTvhykhHHlC6QM0Gfki
=RbWq
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 05 Sep 2009 07:34:14 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 05:33:27 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.