Your message dated Sat, 14 Dec 2019 20:47:08 +0000
with message-id <[email protected]>
and subject line Bug#946343: fixed in davical 1.1.8-1+deb10u1
has caused the Debian Bug report #946343,
regarding davical: CVE-2019-18345 CVE-2019-18346 CVE-2019-18347
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
946343: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946343
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: davical
Version: 1.1.8-1
Severity: important
Tags: security upstream
Hi,
The following vulnerabilities were published for davical.
CVE-2019-18345[0]:
| Reflected Cross-Site Scripting (XSS) vulnerability
CVE-2019-18346[1]:
| A CSRF issue was discovered in DAViCal through 1.1.8. If an
| authenticated user visits an attacker-controlled webpage, the attacker
| can send arbitrary requests in the name of the user to the
| application. If the attacked user is an administrator, the attacker
| could for example add a new admin user.
CVE-2019-18347[2]:
| A stored XSS issue was discovered in DAViCal through 1.1.8. It does
| not adequately sanitize output of various fields that can be set by
| unprivileged users, making it possible for JavaScript stored in those
| fields to be executed by another (possibly privileged) user. Affected
| database fields include Username, Display Name, and Email.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-18345
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18345
[1] https://security-tracker.debian.org/tracker/CVE-2019-18346
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18346
[2] https://security-tracker.debian.org/tracker/CVE-2019-18347
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18347
Please adjust the affected versions in the BTS as needed. If affected
version do not match for all those, feel free to clone individual bugs
repsectively.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: davical
Source-Version: 1.1.8-1+deb10u1
We believe that the bug you reported is fixed in the latest version of
davical, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Florian Schlichting <[email protected]> (supplier of updated davical package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 12 Dec 2019 01:08:40 +0800
Source: davical
Binary: davical davical-doc
Architecture: source all
Version: 1.1.8-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Davical Development Team <[email protected]>
Changed-By: Florian Schlichting <[email protected]>
Description:
davical - PHP CalDAV and CardDAV Server
davical-doc - PHP CalDAV and CardDAV Server - technical documentation
Closes: 946343
Changes:
davical (1.1.8-1+deb10u1) buster-security; urgency=high
.
* Fix three cross-site scripting and cross-site request forgery
vulnerabilities in the web administration front-end:
CVE-2019-18345 CVE-2019-18346 CVE-2019-18347 (closes: #946343)
Checksums-Sha1:
0fc7b8600c0566e6c7b72bd380b193df52dcb376 2111 davical_1.1.8-1+deb10u1.dsc
e832dec5daa54c02fb7d9fd9a1f24aaee91f3d56 1358060 davical_1.1.8.orig.tar.xz
fb49460e140c7737984135071ffc197fe234c0a4 16276
davical_1.1.8-1+deb10u1.debian.tar.xz
1dc1948bfa076ffa5bd64aad4ef139117b08a9e7 1238508
davical-doc_1.1.8-1+deb10u1_all.deb
52b6031975b3a6ca629ba7b7048ede333cc02685 403304 davical_1.1.8-1+deb10u1_all.deb
fe9ee46e3ab4424f985e32cb04050dcdd8bb6801 7813
davical_1.1.8-1+deb10u1_amd64.buildinfo
Checksums-Sha256:
d21cc6975dbb8a6074e27f29687b20510260f366fa42ef81266208e75f896e23 2111
davical_1.1.8-1+deb10u1.dsc
6a471cebed139711041c05e49480cbe5ec92f979a74601e3421ddf00b12b61b9 1358060
davical_1.1.8.orig.tar.xz
4f8025d1dd5fd933e7a11fe3b28ac0b12fcbfb229b568ca6b258a2a74f437bcd 16276
davical_1.1.8-1+deb10u1.debian.tar.xz
334379caa7f565150ec29e742509276c287b3a2f79cb156fa6ca9c35fe2b618c 1238508
davical-doc_1.1.8-1+deb10u1_all.deb
8d038942bc32d67b03de44d52b9950155d7650b9a409242cf691bf1855ecad63 403304
davical_1.1.8-1+deb10u1_all.deb
52fcf1e0e88a8206ef7a2f21bab249183d24036a8e3c2fa54ef26085e38a6af7 7813
davical_1.1.8-1+deb10u1_amd64.buildinfo
Files:
1e1e082a0319016440b11b4870259ae2 2111 web optional davical_1.1.8-1+deb10u1.dsc
92ec0c87613bb95ed5463159eb36b48c 1358060 web optional davical_1.1.8.orig.tar.xz
0c0f60e4635905bd697ea1104dcc4dc2 16276 web optional
davical_1.1.8-1+deb10u1.debian.tar.xz
fed57ac531a9981cc8de074a16f04c90 1238508 doc optional
davical-doc_1.1.8-1+deb10u1_all.deb
a2b6cec1945ed6ae6fbbba43e6fd031d 403304 web optional
davical_1.1.8-1+deb10u1_all.deb
49d439a306e476526284701f7cfd1779 7813 web optional
davical_1.1.8-1+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEMLI8i05qOwnqprZSEpc7bnLcB7UFAl3zTBQACgkQEpc7bnLc
B7UaIw/6A3KPknsreJW53pjSrL4uVEsQpRI1cZ0XywS7e8gP6Bil9h+Aa00mXmO9
hZqAEGItIJ67gPk1PbWfrfcm5DtdFga/VXDVpO43MFqXy3N6fFxdCqRZe8ntFjDL
Mx+GY5qK4ttUGIHFH5gEwtI/ZIgq6/bufNVwIGFFQZFyKk3uSdJRPhLD6wMXHPs7
Ww22vjih0Cjt2/GXBNVQhFV4malYMHQvwLBQKuSZrm+ESiKm2sb4Mdj0ZzGHpdOJ
fARtaHu9y5lLRnXs3FUBiY7zLkrMIAzNhAua/H2Pnia2nSDjFpc9q3aNC52VWBXR
L6/Mm8XkvueCvN6NVwm4S//fypPHt17Df3JD9DHWVZZ2m/OK+JDqxN+kN1gc3Joj
kC6SdFxtZvds5fM+UzrwKf9VwZVxiizES3oLlCg9yLfc5XoQFdFUGIbXIiqSDMiq
4Tm08x9wWt0ijxuQxPG6tx4t3OItTiJgA60MqO3x1NXPHbIq8rYnG3v0s/enRpHF
9OjTfSvIyuy59Dl132x7OO/lo8oerkt/Brk9HE8Q2ZUjRaRZW4df05S4RiTfxhe4
onoBP5gMsD+YJLUWk7vCz8xZV9JlCg6Ivdcqko+h2x5shDqvM7sLcj90/fMeHyqr
Yq8kQfzij4SgVczCA2YmCRBbm86XcylmYP/vN46oXc/W+rhL068=
=cvaY
-----END PGP SIGNATURE-----
--- End Message ---
