Debian Bug report logs - #598584
imp4: XSS in fetchmail configuration

version graph

Package: imp4; Maintainer for imp4 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Thu, 30 Sep 2010 09:45:01 UTC

Severity: grave

Tags: patch, security

Fixed in version imp4/4.3.7+debian0-2.1

Done: Moritz Muehlenhoff <jmm@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#598584; Package imp4. (Thu, 30 Sep 2010 09:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Thu, 30 Sep 2010 09:45:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: imp4: XSS in fetchmail configuration
Date: Thu, 30 Sep 2010 11:42:10 +0200
Package: imp4
Severity: grave
Tags: security
Justification: user security hole

Please see
http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0379.html

Cheers,
        Moritz

-- System Information:
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#598584; Package imp4. (Mon, 18 Oct 2010 16:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to d+deb@vdr.jp:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Mon, 18 Oct 2010 16:51:05 GMT) Full text and rfc822 format available.

Message #10 received at 598584@bugs.debian.org (full text, mbox):

From: d+deb@vdr.jp
To: control@bugs.debian.org
Cc: 598584@bugs.debian.org
Subject: fix patch
Date: Tue, 19 Oct 2010 01:47:41 +0900
[Message part 1 (text/plain, inline)]
tags 598584 + patch
thanks

fix patch (removed 1st hunk) attached.

http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde&r1=1.39.4.10&r2=1.39.4.11&ty=u
-- 
Regards,
	dai

GPG Fingerprint = 0B29 D88E 42E6 B765 B8D8 EA50 7839 619D D439 668E
[imp4-598584.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from d+deb@vdr.jp to control@bugs.debian.org. (Mon, 18 Oct 2010 16:51:10 GMT) Full text and rfc822 format available.

Reply sent to Moritz Muehlenhoff <jmm@debian.org>:
You have taken responsibility. (Sat, 23 Oct 2010 21:03:19 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Sat, 23 Oct 2010 21:03:19 GMT) Full text and rfc822 format available.

Message #17 received at 598584-close@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: 598584-close@bugs.debian.org
Subject: Bug#598584: fixed in imp4 4.3.7+debian0-2.1
Date: Sat, 23 Oct 2010 21:02:27 +0000
Source: imp4
Source-Version: 4.3.7+debian0-2.1

We believe that the bug you reported is fixed in the latest version of
imp4, which is due to be installed in the Debian FTP archive:

imp4_4.3.7+debian0-2.1.diff.gz
  to main/i/imp4/imp4_4.3.7+debian0-2.1.diff.gz
imp4_4.3.7+debian0-2.1.dsc
  to main/i/imp4/imp4_4.3.7+debian0-2.1.dsc
imp4_4.3.7+debian0-2.1_all.deb
  to main/i/imp4/imp4_4.3.7+debian0-2.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598584@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated imp4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 23 Oct 2010 16:49:35 +0200
Source: imp4
Binary: imp4
Architecture: source all
Version: 4.3.7+debian0-2.1
Distribution: unstable
Urgency: low
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description: 
 imp4       - webmail component for horde framework
Closes: 598584
Changes: 
 imp4 (4.3.7+debian0-2.1) unstable; urgency=low
 .
   * Non-maintainer upload by the Security Team
   * Fix XSS (Closes: #598584)
Checksums-Sha1: 
 3d71111f6cceecaa91dcc9e87af69d835ce5417d 1313 imp4_4.3.7+debian0-2.1.dsc
 1e4576e45920caa85ea600a4b6308f29d427c172 15026 imp4_4.3.7+debian0-2.1.diff.gz
 b95fe692b2dfce6ec604bdd07617cecbbcf3af52 5370594 imp4_4.3.7+debian0-2.1_all.deb
Checksums-Sha256: 
 5cf6fcc65eff06fb906849167c5e9c377494b73ca670eedc8f2dffb6ce07b51f 1313 imp4_4.3.7+debian0-2.1.dsc
 b617f7567b0a7c4347c41058a5a3caa38187362732130697f0f33ba1f2bc5709 15026 imp4_4.3.7+debian0-2.1.diff.gz
 ec50a43c8f372ccef59563306e5a0e99f0d89fe38851c284a49806a3d210bfde 5370594 imp4_4.3.7+debian0-2.1_all.deb
Files: 
 166bd7fbfcdce5330e660a2a37f57a46 1313 web optional imp4_4.3.7+debian0-2.1.dsc
 e8bfc48b408eb90105e768263fc1a529 15026 web optional imp4_4.3.7+debian0-2.1.diff.gz
 421c5f854bf743df649deb5460b91239 5370594 web optional imp4_4.3.7+debian0-2.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkzDILcACgkQXm3vHE4uylqmqQCg4DOS7BqEIL3/xrDPeFV17qRb
RIQAoLgg5mtx3UxVLCi8Q7PMzJRRfjzz
=bywP
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 21 Nov 2010 07:32:25 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 16:07:35 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.