Your message dated Fri, 21 Mar 2008 07:52:24 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#470640: fixed in horde3 3.0.4-4sarge7
has caused the Debian Bug report #470640,
regarding horde3: CVE-2008-1284 file inclusion vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
470640: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470640
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: horde3
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for horde3.
CVE-2008-1284[0]:
| Directory traversal vulnerability in Horde 3.1.6, Groupware before
| 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with
| certain configurations, allows remote authenticated users to read and
| execute arbitrary files via ".." sequences and a null byte in the
| theme name.
Patch is on:
http://ftp.horde.org/pub/horde/patches/patch-horde-3.1.6-3.1.7.gz
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1284
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp08NxVptMIK.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: horde3
Source-Version: 3.0.4-4sarge7
We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:
horde3_3.0.4-4sarge7.diff.gz
to pool/main/h/horde3/horde3_3.0.4-4sarge7.diff.gz
horde3_3.0.4-4sarge7.dsc
to pool/main/h/horde3/horde3_3.0.4-4sarge7.dsc
horde3_3.0.4-4sarge7_all.deb
to pool/main/h/horde3/horde3_3.0.4-4sarge7_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <[EMAIL PROTECTED]> (supplier of updated horde3
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 15 Mar 2008 19:17:29 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.0.4-4sarge7
Distribution: oldstable-security
Urgency: high
Maintainer: Ola Lundqvist <[EMAIL PROTECTED]>
Changed-By: Gregory Colpart (evolix) <[EMAIL PROTECTED]>
Description:
horde3 - horde web application framework
Closes: 470640
Changes:
horde3 (3.0.4-4sarge7) oldstable-security; urgency=high
.
* Fix arbitrary file inclusion through abuse of the theme preference (see
CVE-2008-1284 for more informations). (Closes: #470640)
Files:
b3374347290398c40e95d94ca72f089c 920 web optional horde3_3.0.4-4sarge7.dsc
01c1df81c247bf310367f50859ebb2ff 14280 web optional
horde3_3.0.4-4sarge7.diff.gz
4c4fa0aa9f5347785ca74f414165f934 3437956 web optional
horde3_3.0.4-4sarge7_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR9xX42z0hbPcukPfAQLMlQf/YvXW5eFRtzjvnxq3WMO4k2Qgpv1bkqfu
M1KcDyY8dX5HwPrURoOhm17EGjSVMKMjZWh03TFFI3uvW24VCSUEJ6yhFir5StlS
qsSmaAIarVzM37BxhIpX4Iyz0fyvAPMbFl+p+dypVVKUdjgt0UF6HXpW4OJyuzQt
AIghLwYTEp5I2zcb4Ki+PYlkMFSZFRlQ8LaB/Fus3vBfgdB8U1wLZKMC7xNYXUVR
unwqoee0PF6Q4Voy4jdh04cj9vV0l5M/F9eL7Qq1TO5ICSyyM5T5stWvmrlkU/TG
+bOBNw6b0DbFuOpPTbQVNyEycvHXpNgOX08O/TzPmfK79WVnBmchSg==
=nxmh
-----END PGP SIGNATURE-----
--- End Message ---
