Your message dated Fri, 21 Mar 2008 07:52:24 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#470640: fixed in horde3 3.0.4-4sarge7 has caused the Debian Bug report #470640, regarding horde3: CVE-2008-1284 file inclusion vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 470640: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470640 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: horde3 Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for horde3. CVE-2008-1284[0]: | Directory traversal vulnerability in Horde 3.1.6, Groupware before | 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with | certain configurations, allows remote authenticated users to read and | execute arbitrary files via ".." sequences and a null byte in the | theme name. Patch is on: http://ftp.horde.org/pub/horde/patches/patch-horde-3.1.6-3.1.7.gz If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1284 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.pgp08NxVptMIK.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: horde3 Source-Version: 3.0.4-4sarge7 We believe that the bug you reported is fixed in the latest version of horde3, which is due to be installed in the Debian FTP archive: horde3_3.0.4-4sarge7.diff.gz to pool/main/h/horde3/horde3_3.0.4-4sarge7.diff.gz horde3_3.0.4-4sarge7.dsc to pool/main/h/horde3/horde3_3.0.4-4sarge7.dsc horde3_3.0.4-4sarge7_all.deb to pool/main/h/horde3/horde3_3.0.4-4sarge7_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Gregory Colpart (evolix) <[EMAIL PROTECTED]> (supplier of updated horde3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sat, 15 Mar 2008 19:17:29 +0100 Source: horde3 Binary: horde3 Architecture: source all Version: 3.0.4-4sarge7 Distribution: oldstable-security Urgency: high Maintainer: Ola Lundqvist <[EMAIL PROTECTED]> Changed-By: Gregory Colpart (evolix) <[EMAIL PROTECTED]> Description: horde3 - horde web application framework Closes: 470640 Changes: horde3 (3.0.4-4sarge7) oldstable-security; urgency=high . * Fix arbitrary file inclusion through abuse of the theme preference (see CVE-2008-1284 for more informations). (Closes: #470640) Files: b3374347290398c40e95d94ca72f089c 920 web optional horde3_3.0.4-4sarge7.dsc 01c1df81c247bf310367f50859ebb2ff 14280 web optional horde3_3.0.4-4sarge7.diff.gz 4c4fa0aa9f5347785ca74f414165f934 3437956 web optional horde3_3.0.4-4sarge7_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBR9xX42z0hbPcukPfAQLMlQf/YvXW5eFRtzjvnxq3WMO4k2Qgpv1bkqfu M1KcDyY8dX5HwPrURoOhm17EGjSVMKMjZWh03TFFI3uvW24VCSUEJ6yhFir5StlS qsSmaAIarVzM37BxhIpX4Iyz0fyvAPMbFl+p+dypVVKUdjgt0UF6HXpW4OJyuzQt AIghLwYTEp5I2zcb4Ki+PYlkMFSZFRlQ8LaB/Fus3vBfgdB8U1wLZKMC7xNYXUVR unwqoee0PF6Q4Voy4jdh04cj9vV0l5M/F9eL7Qq1TO5ICSyyM5T5stWvmrlkU/TG +bOBNw6b0DbFuOpPTbQVNyEycvHXpNgOX08O/TzPmfK79WVnBmchSg== =nxmh -----END PGP SIGNATURE-----
--- End Message ---