Bug#512592: marked as done (CVE-2008-5917: Cross-site scripting (XSS) vulnerability in the XSS filter)

[Debian Bug Tracking System]

Your message dated Thu, 29 Jan 2009 01:47:06 +0000
with message-id <e1lslzm-0003hs...@ries.debian.org>
and subject line Bug#512592: fixed in horde3 3.2.2+debian0-2
has caused the Debian Bug report #512592,
regarding CVE-2008-5917: Cross-site scripting (XSS) vulnerability in the XSS 
filter
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
512592: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512592
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: horde3
Version: 3.2.2+debian0-1
Severity: important
Tags: security patch

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was published for 
horde3.

CVE-2008-5917[1]:
> Cross-site scripting (XSS) vulnerability in the XSS filter
> (framework/Text_Filter/Filter/xss.php) in Horde Application Framework 3.2.2
> and 3.3, when Internet Explorer is being used, allows remote attackers to
> inject arbitrary web script or HTML via unknown vectors related to style
> attributes.

The changes made by upstream to fix this bug are available at [2].

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5917
     http://security-tracker.debian.net/tracker/CVE-2008-5917
[2]http://cvs.horde.org/diff.php/framework/Text_Filter/Filter/xss.php?r1=1.17&r2=1.18

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

Source: horde3
Source-Version: 3.2.2+debian0-2

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.2.2+debian0-2.diff.gz
  to pool/main/h/horde3/horde3_3.2.2+debian0-2.diff.gz
horde3_3.2.2+debian0-2.dsc
  to pool/main/h/horde3/horde3_3.2.2+debian0-2.dsc
horde3_3.2.2+debian0-2_all.deb
  to pool/main/h/horde3/horde3_3.2.2+debian0-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 512...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart <r...@debian.org> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 29 Jan 2009 01:15:51 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.2.2+debian0-2
Distribution: unstable
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hack...@lists.alioth.debian.org>
Changed-By: Gregory Colpart <r...@debian.org>
Description: 
 horde3     - horde web application framework
Closes: 512592 513265
Changes: 
 horde3 (3.2.2+debian0-2) unstable; urgency=high
 .
   * Add informations in README.Debian about test.php files: these files should
     not be "allow from all", because test.php includes private informations and
     could be unsafe (for example see CVE-2008-4182).
   * Include a patch from Horde upstream to fix an IE-only hole in XSS filter
     (See CVE-2008-5917 for more information). (Closes: #512592)
   * Include patches from Horde upstream to fix a file inclusion issue in
     Horde_Image driver name (Image/Image.php) and an unescaped output in
     the tag cloud block (services/portal/cloud_search.php). (Closes: #513265)
Checksums-Sha1: 
 4b8dcdac985d32f53fc43bafe80a72a863067dbc 1360 horde3_3.2.2+debian0-2.dsc
 29b2ff3287c0d505d3f2bbb5fcd6608c73ccb755 23856 horde3_3.2.2+debian0-2.diff.gz
 861b3314df8c0887148fd6fe4d847481d9a0aae2 7215490 horde3_3.2.2+debian0-2_all.deb
Checksums-Sha256: 
 8d1ea931167d20e47faa0751d021fabe09100212b76bb8152f7ce93aed47fb78 1360 
horde3_3.2.2+debian0-2.dsc
 4e55e03dd7fc884d05a8d1b6b6b4bf660a771acdeebb97e6335050a324f7b41e 23856 
horde3_3.2.2+debian0-2.diff.gz
 5efce58e08ac7b1f9779a31b71b226f0b719ffbd2cf41dd51b0e9b7cb71dbe62 7215490 
horde3_3.2.2+debian0-2_all.deb
Files: 
 5a63857027659277189fb113731e6116 1360 web optional horde3_3.2.2+debian0-2.dsc
 bd040798ef3629b8a95c5c57773f6191 23856 web optional 
horde3_3.2.2+debian0-2.diff.gz
 12698e83f292061100570685bc647d01 7215490 web optional 
horde3_3.2.2+debian0-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmBBwQACgkQMhdcDcECeg7yJgCfcxf3GBsOTLrPOXXgPIgXXL/H
9CUAoIc5BmR6RrbvC48wB2OWB5nKgSgH
=UB8Q
-----END PGP SIGNATURE-----

--- End Message ---