Your message dated Wed, 22 Apr 2009 06:02:14 +0000
with message-id <e1lwvxc-0000av...@ries.debian.org>
and subject line Bug#524778: fixed in mahara 1.1.3-1
has caused the Debian Bug report #524778,
regarding Remote code execution via preg_replace in html2text.php
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
524778: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=524778
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mahara
Version: 1.1.2-1
Severity: important
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
mahara is using the vulnerable version of html2text,
which could lead to code execution attacks, the same of CVE-2008-5619 in
roundcube.
The patch for this issue can be found at [1]
I'm not sure if it is exploitable, and version in stable isn't affected, so I
set the severity only
to important.
[1]http://trac.roundcube.net/changeset/2148
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknrjxMACgkQNxpp46476apvegCdHU0uUdAg/i9p8twr1+IMrMRZ
6cEAnAxHOcQBOWRq+OT97HQjIDB5gYTb
=pQn2
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: mahara
Source-Version: 1.1.3-1
We believe that the bug you reported is fixed in the latest version of
mahara, which is due to be installed in the Debian FTP archive:
mahara-apache2_1.1.3-1_all.deb
to pool/main/m/mahara/mahara-apache2_1.1.3-1_all.deb
mahara_1.1.3-1.diff.gz
to pool/main/m/mahara/mahara_1.1.3-1.diff.gz
mahara_1.1.3-1.dsc
to pool/main/m/mahara/mahara_1.1.3-1.dsc
mahara_1.1.3-1_all.deb
to pool/main/m/mahara/mahara_1.1.3-1_all.deb
mahara_1.1.3.orig.tar.gz
to pool/main/m/mahara/mahara_1.1.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 524...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francois Marier <franc...@debian.org> (supplier of updated mahara package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 22 Apr 2009 17:06:36 +1200
Source: mahara
Binary: mahara mahara-apache2
Architecture: source all
Version: 1.1.3-1
Distribution: unstable
Urgency: high
Maintainer: Mahara Debian Packaging Team <pkg-deb...@mahara.org>
Changed-By: Francois Marier <franc...@debian.org>
Description:
mahara - Electronic portfolio, weblog, and resume builder
mahara-apache2 - Electronic portfolio, weblog, and resume builder - apache2
config
Closes: 524778
Changes:
mahara (1.1.3-1) unstable; urgency=high
.
* New Upstream Version
- fixes XSS issues in user profile field and text boxes in user views
(CVE-2009-0664)
- fixes remote code execution in the bundled copy of html2text
(CVE-2008-5619, closes: #524778)
* Bump Standards-Version to 3.8.1 (no changes)
* Remove execute bit on a bunch of Javascript files (lintian warning)
Checksums-Sha1:
6b032f11ba15ad16bd2ca721da0c14803186effe 1268 mahara_1.1.3-1.dsc
c98dda14a3974517077b1c08ce884911497fa13b 2640170 mahara_1.1.3.orig.tar.gz
debd01ff405155b42839191f85a044158ddfe350 21015 mahara_1.1.3-1.diff.gz
e1a33bf48264f5f4cbafd147979a1ce4b81d46b8 1831574 mahara_1.1.3-1_all.deb
5d026bf1608b9bc710343a8d775be1089e1b47bb 9328 mahara-apache2_1.1.3-1_all.deb
Checksums-Sha256:
a0578e8e11b314d6e1fee811e9db38df0a8c288261bb87e3fa25b79080057e57 1268
mahara_1.1.3-1.dsc
180922db6a77fb8d83f1943f336a59d5a1bd46cf121a483d49fb714221f09710 2640170
mahara_1.1.3.orig.tar.gz
d57731348d3544efde8b405832a1be02ef63194ab8d230e59e5afc48eb5a1b68 21015
mahara_1.1.3-1.diff.gz
f1f4eb10023d6818e75f3b3c32ced74c0f4b53de200484fa5271b2b9ea564c4f 1831574
mahara_1.1.3-1_all.deb
cc243d1088a6d7ed939f4a3d0c991a9483e1061b9a2dde7050a4ad67d557f72f 9328
mahara-apache2_1.1.3-1_all.deb
Files:
70ea45454f5acb17f043f14c686a02bf 1268 web optional mahara_1.1.3-1.dsc
fe15cc66716a9127d085d928adbbe859 2640170 web optional mahara_1.1.3.orig.tar.gz
baaff649eb8fe52e7c9381273c715d87 21015 web optional mahara_1.1.3-1.diff.gz
12ec800391a78aa4cdb0dd3a2dd79746 1831574 web optional mahara_1.1.3-1_all.deb
785cef8dd7c2477006f3ec8c0ec718bb 9328 web optional
mahara-apache2_1.1.3-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknupj0ACgkQScUZKBnQNIb5agCglNYpjEc1MO2C44K0oDi+xHJ5
e2gAn1Jzc5S7mLE++CsPSeKb5A5WHswa
=91Iw
-----END PGP SIGNATURE-----
--- End Message ---
