Debian Bug report logs - #659392
CVE-2011-0791 / CVE-2012-0909

version graph

Package: imp4; Maintainer for imp4 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Fri, 10 Feb 2012 18:27:01 UTC

Severity: grave

Tags: patch, security

Fixed in versions imp4/4.3.7+debian0-2.2, imp4/4.3.10+debian0-1.1

Done: Luk Claes <luk@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#659392; Package imp4. (Fri, 10 Feb 2012 18:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Fri, 10 Feb 2012 18:27:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2011-0791 / CVE-2012-0909
Date: Fri, 10 Feb 2012 19:23:40 +0100
Package: imp4
Severity: grave
Tags: security

Please see 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0909
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0791

I don't really understand the Horde/Kolab Webmail structure, so 
imp4 might not be the actual affected package, please assign
as needed and keep us posted.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#659392; Package imp4. (Wed, 15 Feb 2012 00:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to micah anderson <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Wed, 15 Feb 2012 00:27:05 GMT) Full text and rfc822 format available.

Message #10 received at 659392@bugs.debian.org (full text, mbox):

From: micah anderson <micah@riseup.net>
To: 659392@bugs.debian.org
Subject: Some information
Date: Tue, 14 Feb 2012 19:22:29 -0500
[Message part 1 (text/plain, inline)]
I've been trying to figure out if this issue affects stable.

The issues point to this openwall post:
http://www.openwall.com/lists/oss-security/2012/01/22/2

which has actual git commits for things.

CVE-2012-0791 has a simple changeset:

https://github.com/horde/horde/commit/208eae43c95136a67104f760027a8892a22b6e25

it touches two files: 
framework/Form/lib/Horde/Form/Type.php
framework/Form/package.xml

neither of these files is in horde3 or imp4 that is in Squeeze.

For the other issue CVE-2012-0909, that seems to affect Squeeze's IMP,
and a changeset between version 4.3.10 and 4.3.11 was published here:
http://ftp.horde.org/pub/imp/patches/patch-imp-h3-4.3.10-h3-4.3.11.gz

Squeeze has 4.3.7 - I've looked at the changeset above with a co-worker
and it does not look too hard to port to the debian version. We'll do so
in the next couple of days if nobody else does first.

micah


-- 

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#659392; Package imp4. (Wed, 15 Feb 2012 18:39:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to micah anderson <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Wed, 15 Feb 2012 18:39:05 GMT) Full text and rfc822 format available.

Message #15 received at 659392@bugs.debian.org (full text, mbox):

From: micah anderson <micah@riseup.net>
To: 659392@bugs.debian.org
Subject: Re: Some information
Date: Wed, 15 Feb 2012 13:37:19 -0500
On Tue, 14 Feb 2012 19:22:29 -0500, micah anderson <micah@riseup.net> wrote:
> CVE-2012-0791 has a simple changeset:

Sorry, I switched these CVE issues, this one is actually CVE-2012-0909

> https://github.com/horde/horde/commit/208eae43c95136a67104f760027a8892a22b6e25
> 
> it touches two files: 
> framework/Form/lib/Horde/Form/Type.php
> framework/Form/package.xml
> 
> neither of these files is in horde3 or imp4 that is in Squeeze.
> 
> For the other issue CVE-2012-0909, that seems to affect Squeeze's IMP,

this one is actually CVE-2012-0791.

> and a changeset between version 4.3.10 and 4.3.11 was published here:
> http://ftp.horde.org/pub/imp/patches/patch-imp-h3-4.3.10-h3-4.3.11.gz
> 
> Squeeze has 4.3.7 - I've looked at the changeset above with a co-worker
> and it does not look too hard to port to the debian version. We'll do so
> in the next couple of days if nobody else does first.

have a patch, testing it now.




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#659392; Package imp4. (Wed, 15 Feb 2012 19:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to micah <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Wed, 15 Feb 2012 19:00:04 GMT) Full text and rfc822 format available.

Message #20 received at 659392@bugs.debian.org (full text, mbox):

From: micah <micah@riseup.net>
To: 659392@bugs.debian.org
Subject: debdiff
Date: Wed, 15 Feb 2012 13:57:55 -0500
[Message part 1 (text/plain, inline)]
Attached is a debdiff against the squeeze version to fix imp4.

Micah


-- 



[Message part 2 (application/pgp-signature, inline)]
[imp4_4.3.7+debian0-2.2.debdiff (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#659392; Package imp4. (Wed, 15 Feb 2012 19:30:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to micah anderson <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Wed, 15 Feb 2012 19:30:09 GMT) Full text and rfc822 format available.

Message #25 received at 659392@bugs.debian.org (full text, mbox):

From: micah anderson <micah@riseup.net>
To: 659392@bugs.debian.org
Subject: Re: Bug#659392: Info received (debdiff)
Date: Wed, 15 Feb 2012 14:28:34 -0500
On Wed, 15 Feb 2012 13:57:55 -0500, micah <micah@algae.riseup.net> wrote:
> 
> Attached is a debdiff against the squeeze version to fix imp4.

I forgot to mention that I've built a package off of this diff and
tested it and it seems to work fine (I have no way of testing that the
XSS issue is fixed).

mich




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#659392; Package imp4. (Sat, 02 Jun 2012 17:09:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Sat, 02 Jun 2012 17:09:09 GMT) Full text and rfc822 format available.

Message #30 received at 659392@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: 659392@bugs.debian.org
Subject: Re: CVE-2011-0791 / CVE-2012-0909
Date: Sat, 2 Jun 2012 19:06:01 +0200
Hi IMP maintainers,

Thanks micah for preparing a squeeze package. I'm building it now and will
upload it to the security archive.

Is there already progress on fixing unstable?


Cheers,
Thijs





Reply sent to Micah Anderson <micah@riseup.net>:
You have taken responsibility. (Mon, 04 Jun 2012 20:51:10 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Mon, 04 Jun 2012 20:51:10 GMT) Full text and rfc822 format available.

Message #35 received at 659392-close@bugs.debian.org (full text, mbox):

From: Micah Anderson <micah@riseup.net>
To: 659392-close@bugs.debian.org
Subject: Bug#659392: fixed in imp4 4.3.7+debian0-2.2
Date: Mon, 04 Jun 2012 20:49:00 +0000
Source: imp4
Source-Version: 4.3.7+debian0-2.2

We believe that the bug you reported is fixed in the latest version of
imp4, which is due to be installed in the Debian FTP archive:

imp4_4.3.7+debian0-2.2.diff.gz
  to main/i/imp4/imp4_4.3.7+debian0-2.2.diff.gz
imp4_4.3.7+debian0-2.2.dsc
  to main/i/imp4/imp4_4.3.7+debian0-2.2.dsc
imp4_4.3.7+debian0-2.2_all.deb
  to main/i/imp4/imp4_4.3.7+debian0-2.2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 659392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Micah Anderson <micah@riseup.net> (supplier of updated imp4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 15 Feb 2012 10:39:48 -0800
Source: imp4
Binary: imp4
Architecture: source all
Version: 4.3.7+debian0-2.2
Distribution: stable-security
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Micah Anderson <micah@riseup.net>
Description: 
 imp4       - webmail component for horde framework
Closes: 659392
Changes: 
 imp4 (4.3.7+debian0-2.2) stable-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix XSS (CVE-2012-0791, Closes: #659392)
Checksums-Sha1: 
 86b032b7f6e5a300f287fa17b00c2836ec798982 1605 imp4_4.3.7+debian0-2.2.dsc
 f034e5e0a35d84df663f1656507a6f57aa25f0b6 5388310 imp4_4.3.7+debian0.orig.tar.gz
 f8b4b31b06b8eaba707643470f602b6f9c76ee1f 17064 imp4_4.3.7+debian0-2.2.diff.gz
 1351ba5ba263ffd2b389d44b66bc4fbc8c4fcb76 5371552 imp4_4.3.7+debian0-2.2_all.deb
Checksums-Sha256: 
 d35b0bb5e268bd70f4a2ac3201880c54b5fb66559d9167ca74211c92cedc2f65 1605 imp4_4.3.7+debian0-2.2.dsc
 a57b5556e5f45e4469bb5af47ed49ea134a9be42b0bfef76ea9aa6ea0dc763b2 5388310 imp4_4.3.7+debian0.orig.tar.gz
 c10f346cd98c93d04f7a1d34c432108c9fe9e23961fcefd540110cd05f15e280 17064 imp4_4.3.7+debian0-2.2.diff.gz
 e95f987342146ce8b80391875f5db930350c5c36eae02533c8451245a74240c0 5371552 imp4_4.3.7+debian0-2.2_all.deb
Files: 
 05a8d720ab10e206c1d56c5e0ba0744f 1605 web optional imp4_4.3.7+debian0-2.2.dsc
 2b70ec4ea4be65bbf016de053f84337b 5388310 web optional imp4_4.3.7+debian0.orig.tar.gz
 c3bff32d365723f0408b805944418ac7 17064 web optional imp4_4.3.7+debian0-2.2.diff.gz
 d0a5371e124f28f0038537789cb00e93 5371552 web optional imp4_4.3.7+debian0-2.2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJPykuJAAoJEOxfUAG2iX57XvUH/RCMy4yuUoa5bnatumi4+7q8
c6c7SyUxmMLdxKOM+VVbUFpShUfzEYaddAvxi74eaRIofICNZGFV/HrweN3QN7fV
AODYW7/ZCscy3P05JAi23TTBweXEeusNtQLSpH4I3ih8pd5hRDLaNUS/jcIHzGq6
I+kmGmLwHhFAhFV0XDaXZdpV0VLUewwcZ2xN4L9WcNnmipEsAsyy6OeitiiN879F
fT9cFC88pf5l56e/LD1XeZHF8xF9N4UdH4denVvMBPbGfpq7BoB+8RoY8g9Q96mP
JGXfVuDGmkObljJldc2Ljdtvru2q8z0qdHtRI+TijhQOA5VVuFtSjoFCNqZfJgo=
=OQSj
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#659392; Package imp4. (Sat, 23 Jun 2012 10:39:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Sat, 23 Jun 2012 10:39:10 GMT) Full text and rfc822 format available.

Message #40 received at 659392@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: 659392@bugs.debian.org
Subject: imp4: diff for NMU version 4.3.10+debian0-1.1
Date: Sat, 23 Jun 2012 12:34:56 +0200
[Message part 1 (text/plain, inline)]
tags 659392 + patch
tags 659392 + pending
thanks

Dear maintainer,

I've prepared an NMU for imp4 (versioned as 4.3.10+debian0-1.1) and
uploaded it to DELAYED/02. Please feel free to tell me if I
should delay it longer.

Cheers

Luk
[imp4-4.3.10+debian0-1.1-nmu.diff (text/x-diff, attachment)]

Added tag(s) patch. Request was from Luk Claes <luk@debian.org> to control@bugs.debian.org. (Sat, 23 Jun 2012 10:39:37 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Luk Claes <luk@debian.org> to control@bugs.debian.org. (Sat, 23 Jun 2012 10:39:38 GMT) Full text and rfc822 format available.

Reply sent to Luk Claes <luk@debian.org>:
You have taken responsibility. (Mon, 25 Jun 2012 10:51:29 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Mon, 25 Jun 2012 10:51:48 GMT) Full text and rfc822 format available.

Message #49 received at 659392-close@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: 659392-close@bugs.debian.org
Subject: Bug#659392: fixed in imp4 4.3.10+debian0-1.1
Date: Mon, 25 Jun 2012 10:48:51 +0000
Source: imp4
Source-Version: 4.3.10+debian0-1.1

We believe that the bug you reported is fixed in the latest version of
imp4, which is due to be installed in the Debian FTP archive:

imp4_4.3.10+debian0-1.1.diff.gz
  to main/i/imp4/imp4_4.3.10+debian0-1.1.diff.gz
imp4_4.3.10+debian0-1.1.dsc
  to main/i/imp4/imp4_4.3.10+debian0-1.1.dsc
imp4_4.3.10+debian0-1.1_all.deb
  to main/i/imp4/imp4_4.3.10+debian0-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 659392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luk Claes <luk@debian.org> (supplier of updated imp4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 23 Jun 2012 12:32:31 +0200
Source: imp4
Binary: imp4
Architecture: source all
Version: 4.3.10+debian0-1.1
Distribution: unstable
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Luk Claes <luk@debian.org>
Description: 
 imp4       - webmail component for horde framework
Closes: 659392
Changes: 
 imp4 (4.3.10+debian0-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix XSS (CVE-2012-0791, Closes: #659392)
Checksums-Sha1: 
 6ddb48131ffa70f9ea274a96ff7cf04eca9062ab 1358 imp4_4.3.10+debian0-1.1.dsc
 75ea3610e108cf2c49ff1a21b88d5d7244b2b6d0 16300 imp4_4.3.10+debian0-1.1.diff.gz
 2cd7a6a006650521644c4eb9e27b9e68dca1c44f 5447454 imp4_4.3.10+debian0-1.1_all.deb
Checksums-Sha256: 
 82f847432c355fc192b0fdd1c106efddd9a830778f169f90ff94cdb2a3d4a8ab 1358 imp4_4.3.10+debian0-1.1.dsc
 86e424a459a43aae8e53a33ea7143f57c02ac96d08e008199c92f2057aa3315f 16300 imp4_4.3.10+debian0-1.1.diff.gz
 b890bcc02dcf6fcc1f53721b23f8f4010aa225b1331f2868eb23c3a23636a784 5447454 imp4_4.3.10+debian0-1.1_all.deb
Files: 
 cea60876de0877798b9a650f363620b4 1358 web optional imp4_4.3.10+debian0-1.1.dsc
 5efa5628e8e0c02b4d4bdee8faac5dc7 16300 web optional imp4_4.3.10+debian0-1.1.diff.gz
 1cba30da1bff9014e4dfd6d79dd39e50 5447454 web optional imp4_4.3.10+debian0-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk/lm9kACgkQ5UTeB5t8Mo1OrQCgnkmNvKVCm1CRNTwXct4XIxuw
03QAn2AyZUZmoJWUc2mDy/GIORDOnG2h
=QKRS
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 30 Sep 2012 07:32:37 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 08:19:11 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.