Your message dated Sat, 14 Dec 2019 20:47:39 +0000
with message-id <[email protected]>
and subject line Bug#946343: fixed in davical 1.1.5-1+deb9u1
has caused the Debian Bug report #946343,
regarding davical: CVE-2019-18345 CVE-2019-18346 CVE-2019-18347
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
946343: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946343
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: davical
Version: 1.1.8-1
Severity: important
Tags: security upstream
Hi,
The following vulnerabilities were published for davical.
CVE-2019-18345[0]:
| Reflected Cross-Site Scripting (XSS) vulnerability
CVE-2019-18346[1]:
| A CSRF issue was discovered in DAViCal through 1.1.8. If an
| authenticated user visits an attacker-controlled webpage, the attacker
| can send arbitrary requests in the name of the user to the
| application. If the attacked user is an administrator, the attacker
| could for example add a new admin user.
CVE-2019-18347[2]:
| A stored XSS issue was discovered in DAViCal through 1.1.8. It does
| not adequately sanitize output of various fields that can be set by
| unprivileged users, making it possible for JavaScript stored in those
| fields to be executed by another (possibly privileged) user. Affected
| database fields include Username, Display Name, and Email.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-18345
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18345
[1] https://security-tracker.debian.org/tracker/CVE-2019-18346
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18346
[2] https://security-tracker.debian.org/tracker/CVE-2019-18347
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18347
Please adjust the affected versions in the BTS as needed. If affected
version do not match for all those, feel free to clone individual bugs
repsectively.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: davical
Source-Version: 1.1.5-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
davical, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Florian Schlichting <[email protected]> (supplier of updated davical package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 13 Dec 2019 07:59:08 +0800
Source: davical
Binary: davical davical-doc
Architecture: source all
Version: 1.1.5-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Davical Development Team <[email protected]>
Changed-By: Florian Schlichting <[email protected]>
Description:
davical - PHP CalDAV and CardDAV Server
davical-doc - PHP CalDAV and CardDAV Server - technical documentation
Closes: 946343
Changes:
davical (1.1.5-1+deb9u1) stretch-security; urgency=high
.
* Fix three cross-site scripting and cross-site request forgery
vulnerabilities in the web administration front-end:
CVE-2019-18345 CVE-2019-18346 CVE-2019-18347 (closes: #946343)
Checksums-Sha1:
be8a9a6d998bb06a42d7a64439a1fd844e4d00f0 2104 davical_1.1.5-1+deb9u1.dsc
357706817c857d8ab8216254a5458e1535d775b1 1319316 davical_1.1.5.orig.tar.xz
d291ad9deca7786db586a3c9e37cc56605c1833a 15760
davical_1.1.5-1+deb9u1.debian.tar.xz
24ea22b1adf867e4d0016c012ea20e5da489c50f 1172980
davical-doc_1.1.5-1+deb9u1_all.deb
9e5d917669ec4eff23cf0afeceb937afe9be697f 393140 davical_1.1.5-1+deb9u1_all.deb
a8b82d80168986cc7a237c6e99de96c14057d4da 8046
davical_1.1.5-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
1ad235ab2b326dd44cc4c9ffef7cc58c369b2caecb61428938d1f272ce6a61f0 2104
davical_1.1.5-1+deb9u1.dsc
667583fb345612b8c9bd67ebfc1ef5e154fb5494a75d67ec347842c1257f238f 1319316
davical_1.1.5.orig.tar.xz
306ddbc596e0b34db22d7d7c611fba480aaadd773f802345dd4d2e907f665f2f 15760
davical_1.1.5-1+deb9u1.debian.tar.xz
b2eee935f9407ef367c9352e306e8276ae40768eaf55009dcd06adc530832044 1172980
davical-doc_1.1.5-1+deb9u1_all.deb
9d3db83e7c6cc21e73c105e24cb1d5aac4c940035894cde83034dee50eaa6401 393140
davical_1.1.5-1+deb9u1_all.deb
1bd167b1419ddc8282750a66ef478bd9f7d314ae2dc86899fec062a71f9ef402 8046
davical_1.1.5-1+deb9u1_amd64.buildinfo
Files:
7eae266d4189c9b79d3f60d625a8319a 2104 web extra davical_1.1.5-1+deb9u1.dsc
7ad2418159cb205457db16326116bef0 1319316 web extra davical_1.1.5.orig.tar.xz
8920076f8954785ed07d42d81637b78b 15760 web extra
davical_1.1.5-1+deb9u1.debian.tar.xz
44a25310e4e0f83c51196e6b974a7820 1172980 doc extra
davical-doc_1.1.5-1+deb9u1_all.deb
76c688d0addb3cfea69cd4bcc8019890 393140 web extra
davical_1.1.5-1+deb9u1_all.deb
11cb1b5108ed76f8c9d3a56821965990 8046 web extra
davical_1.1.5-1+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEMLI8i05qOwnqprZSEpc7bnLcB7UFAl3zTfgACgkQEpc7bnLc
B7VxlBAAoY71jGGx5aRkQrz5KSHS2sF6fVI2jNVqumlxLZOH8DT+etHKyhNlYtQ8
Ylpem3p663TkzXl4S5oAn0/G3bqF64lgmbbPIC9oMIt9GWerO/b9uW0SKNnSKEyD
7Nd+Bm9M8jaGzZz4cC9d+XG1UecSDuUxjorsWSRXtrgb5q3Pzcpukrs+embRzPFs
OrCldh8ozgremtg8BwION6oWZHSkGUZklFEPtj7nTRdTtPDFkTZ16rclhuuW2uau
RBGEdriQK+UFM3DxrwRJZtlLyXtF3rQwB3XhvR1IbAl4m/hI/hbwwAZvKoLnw6dv
mY/kVNIiNQKyZdI5qQR4MKA5UVJbEnUmU3TpMeDno3ryDxiP2Hgg+5680/y5KtQb
Idx9HGdURTHmId3yxdgO/LkgchXRbWhqC2Hq6i6mEQ6K4evyJXKPLmDvGOc3cJVc
3LQMhFPcUKauSTTqUtBkmEwHhw9x8ow29nxDwSssZ22wyBTNDNRY9PqKabWO6AuF
Rh1geWtp/7Q7ETYRCLULbt+aRyrUu9ELQcazN3XrtY9XNzCaFoqVS+KfOzeg0KC0
0ktRimTcE2mjc1d5jviBfgM1YNm31jb/xM6ZR6LdHnI7HR3I73FKcGoCSWFfV3b4
1N12YgtKkjnNt+Z3lALvqECHANmoNdvwDB/wvmfI9KXPLyZP2es=
=K0WJ
-----END PGP SIGNATURE-----
--- End Message ---
