Debian Bug report logs - #598582
horde3: Four security issues in Horde

version graph

Package: horde3; Maintainer for horde3 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Thu, 30 Sep 2010 09:42:01 UTC

Severity: grave

Tags: security

Fixed in version horde3/3.3.8+debian0-2

Done: Gregory Colpart <reg@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#598582; Package horde3. (Thu, 30 Sep 2010 09:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Thu, 30 Sep 2010 09:42:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: horde3: Four security issues in Horde
Date: Thu, 30 Sep 2010 11:38:39 +0200
Package: horde3
Severity: grave
Tags: security
Justification: user security hole

I suppose these issues reported here refer to the horde3
source package:
http://lists.horde.org/archives/announce/2010/000568.html

Cheers,
        Moritz

-- System Information:
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#598582; Package horde3. (Sun, 31 Oct 2010 12:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Sun, 31 Oct 2010 12:03:06 GMT) Full text and rfc822 format available.

Message #10 received at 598582@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 598582@bugs.debian.org
Subject: Re: [pkg-horde] Bug#598582: horde3: Four security issues in Horde
Date: Sun, 31 Oct 2010 12:50:07 +0100
Hello,

On Thu, Sep 30, 2010 at 11:38:39AM +0200, Moritz Muehlenhoff wrote:
> 
> I suppose these issues reported here refer to the horde3
> source package:
> http://lists.horde.org/archives/announce/2010/000568.html

Sorry for the delay and thanks for your upload of gollem and dimp1.

For horde3, I prepare the patches for Lenny and Squeeze/Sid. They
are on http://git.debian.org/?p=pkg-horde/horde3.git;a=summary
I'm waiting comments from upstream before uploading.

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:4096R/B8612B5D
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#598582; Package horde3. (Wed, 03 Nov 2010 19:03:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mehdi Dogguy <mehdi@dogguy.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Wed, 03 Nov 2010 19:03:07 GMT) Full text and rfc822 format available.

Message #15 received at 598582@bugs.debian.org (full text, mbox):

From: Mehdi Dogguy <mehdi@dogguy.org>
To: Gregory Colpart <reg@evolix.fr>, 598582@bugs.debian.org
Cc: Moritz Muehlenhoff <muehlenhoff@univention.de>
Subject: Re: Bug#598582: [pkg-horde] Bug#598582: horde3: Four security issues in Horde
Date: Wed, 3 Nov 2010 19:58:25 +0100
On  0, Gregory Colpart <reg@evolix.fr> wrote:
> 
> For horde3, I prepare the patches for Lenny and Squeeze/Sid. They
> are on http://git.debian.org/?p=pkg-horde/horde3.git;a=summary
> I'm waiting comments from upstream before uploading.
> 

Any news?

Regards,

-- 
Mehdi Dogguy




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#598582; Package horde3. (Wed, 03 Nov 2010 22:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Wed, 03 Nov 2010 22:57:03 GMT) Full text and rfc822 format available.

Message #20 received at 598582@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: Mehdi Dogguy <mehdi@dogguy.org>
Cc: 598582@bugs.debian.org, Moritz Muehlenhoff <muehlenhoff@univention.de>
Subject: Re: Bug#598582: [pkg-horde] Bug#598582: horde3: Four security issues in Horde
Date: Wed, 3 Nov 2010 23:55:53 +0100
Hello,

On Wed, Nov 03, 2010 at 07:58:25PM +0100, Mehdi Dogguy wrote:
> On  0, Gregory Colpart <reg@evolix.fr> wrote:
> > 
> > For horde3, I prepare the patches for Lenny and Squeeze/Sid. They
> > are on http://git.debian.org/?p=pkg-horde/horde3.git;a=summary
> > I'm waiting comments from upstream before uploading.
> > 
> 
> Any news?
 
I ping upstream on IRC and I improve my patches (commited on Git repo)
... but I'm still waiting upstream comments before uploading.

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:4096R/B8612B5D
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Reply sent to Gregory Colpart <reg@debian.org>:
You have taken responsibility. (Tue, 09 Nov 2010 00:51:06 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Tue, 09 Nov 2010 00:51:06 GMT) Full text and rfc822 format available.

Message #25 received at 598582-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@debian.org>
To: 598582-close@bugs.debian.org
Subject: Bug#598582: fixed in horde3 3.3.8+debian0-2
Date: Tue, 09 Nov 2010 00:47:16 +0000
Source: horde3
Source-Version: 3.3.8+debian0-2

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.3.8+debian0-2.diff.gz
  to main/h/horde3/horde3_3.3.8+debian0-2.diff.gz
horde3_3.3.8+debian0-2.dsc
  to main/h/horde3/horde3_3.3.8+debian0-2.dsc
horde3_3.3.8+debian0-2_all.deb
  to main/h/horde3/horde3_3.3.8+debian0-2_all.deb
pear-horde-channel_3.3.8+debian0-2_all.deb
  to main/h/horde3/pear-horde-channel_3.3.8+debian0-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598582@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart <reg@debian.org> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Wed, 03 Nov 2010 23:44:17 +0100
Source: horde3
Binary: horde3 pear-horde-channel
Architecture: source all
Version: 3.3.8+debian0-2
Distribution: unstable
Urgency: medium
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart <reg@debian.org>
Description: 
 horde3     - horde web application framework
 pear-horde-channel - pear.horde.org channel
Closes: 597603 598582
Changes: 
 horde3 (3.3.8+debian0-2) unstable; urgency=medium
 .
   * Backport security patches from 3.3.9 and 3.3.10 to fix CVE-2010-3077
     and CVE-2010-3694 (Closes: #598582)
   * Backport upstream fix from 3.3.10 for SyncML bug: page sometimes deleting
     more anchors than selected.
   * Fix annoying bug in temp-cleanup.cron (Closes: #597603)
Checksums-Sha1: 
 f0f96bca975fd6b93f173b70a02e7d92286d1b74 1345 horde3_3.3.8+debian0-2.dsc
 a39930407335e8ecfd43230b67bc8c9dc9af2f03 30009 horde3_3.3.8+debian0-2.diff.gz
 3ad67a68adf38c1e95e35aa5b2e519e5ae4c9099 7704364 horde3_3.3.8+debian0-2_all.deb
 9595140780aa26b86e07410824617aed5ba60a4d 16616 pear-horde-channel_3.3.8+debian0-2_all.deb
Checksums-Sha256: 
 45a6dd371a753e1c55ad1096bbf022705ab7ce2ea2d502cb1a22a6ea1b16880a 1345 horde3_3.3.8+debian0-2.dsc
 da5fc4da1ed89517325f4ce797355dad0c9a20b0aef5e1828fc549026c20b996 30009 horde3_3.3.8+debian0-2.diff.gz
 dcbec2d0918f7fe4a926dea197d6d88f9e948ef71ee328233f3e6531020297d0 7704364 horde3_3.3.8+debian0-2_all.deb
 cb9aa27f77fd0b74d77f6343f9408af5e09fd84585b6409fa7734959aff7567a 16616 pear-horde-channel_3.3.8+debian0-2_all.deb
Files: 
 48e7bf709f61eca08e535762ff19b6d4 1345 web optional horde3_3.3.8+debian0-2.dsc
 2e21599b6e09d4a4e9d379a7c3be0914 30009 web optional horde3_3.3.8+debian0-2.diff.gz
 8350161bae45983db030101b65aafaf9 7704364 web optional horde3_3.3.8+debian0-2_all.deb
 85086c68c40cc62b9a12c9f61b691b27 16616 web optional pear-horde-channel_3.3.8+debian0-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREDAAYFAkzYmJUACgkQMhdcDcECeg47FwCggU3MaMHNGRF7mRv7wZlfMQaz
2O4AmwQSSoniB4bGsmD6Oz8V5f2pvKEr
=PTLJ
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 12 Dec 2010 07:33:25 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 19:33:37 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.