Your message dated Sat, 11 Jul 2009 13:55:41 +0000
with message-id <e1mpd3f-00054s...@ries.debian.org>
and subject line Bug#536554: fixed in sork-passwd-h3 3.0-2+lenny1
has caused the Debian Bug report #536554,
regarding CVE-2009-2360: Cross-site scripting vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
536554: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536554
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: sork-passwd-h3
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for sork-passwd-h3.
CVE-2009-2360[0]:
| Cross-site scripting (XSS) vulnerability in passwd/main.php in the
| Passwd module before 3.1.1 for Horde allows remote attackers to inject
| arbitrary web script or HTML via the backend parameter.
The upstream patch can be found here[1].
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2360
http://security-tracker.debian.net/tracker/CVE-2009-2360
[1] http://bugs.horde.org/ticket/8398
--- End Message ---
--- Begin Message ---
Source: sork-passwd-h3
Source-Version: 3.0-2+lenny1
We believe that the bug you reported is fixed in the latest version of
sork-passwd-h3, which is due to be installed in the Debian FTP archive:
sork-passwd-h3_3.0-2+lenny1.diff.gz
to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+lenny1.diff.gz
sork-passwd-h3_3.0-2+lenny1.dsc
to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+lenny1.dsc
sork-passwd-h3_3.0-2+lenny1_all.deb
to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 536...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <wh...@debian.org> (supplier of updated sork-passwd-h3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 11 Jul 2009 06:31:33 +0000
Source: sork-passwd-h3
Binary: sork-passwd-h3
Architecture: source all
Version: 3.0-2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian Horde Maintainers <pkg-horde-hack...@lists.alioth.debian.org>
Changed-By: Steffen Joeris <wh...@debian.org>
Description:
sork-passwd-h3 - Horde3 module for users to change their password
Closes: 536554
Changes:
sork-passwd-h3 (3.0-2+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the security team
* Fix XSS in backend parameter (Closes: #536554)
Fixes: CVE-2009-2360
Checksums-Sha1:
70a9aca3929cf2fca68ce41b6f04bd4cfa1aab56 1134 sork-passwd-h3_3.0-2+lenny1.dsc
e2648e109913bc374a3813952a1e509dcd5a038e 8075
sork-passwd-h3_3.0-2+lenny1.diff.gz
54b7f216d8b4762fde37dcc38e89838fd1850559 936656
sork-passwd-h3_3.0-2+lenny1_all.deb
Checksums-Sha256:
251ee549e8597fbad582a5719a204c1308a89c912359c44ea0b72bfaa4ddafc7 1134
sork-passwd-h3_3.0-2+lenny1.dsc
498e9c1c0a7251473ad01ac39f046bb3df58740d59e6e409b90d0b76383f2aff 8075
sork-passwd-h3_3.0-2+lenny1.diff.gz
ae82226cc1823d7cfcd99914796c5c5ceecff16bef55b386b07514718af12791 936656
sork-passwd-h3_3.0-2+lenny1_all.deb
Files:
21cddfb0875a3513716238b2482c8f48 1134 web optional
sork-passwd-h3_3.0-2+lenny1.dsc
ac8d69e8612a96eeb18f3d68960dfaa2 8075 web optional
sork-passwd-h3_3.0-2+lenny1.diff.gz
b931e5db33decf642d8911f01b5656a1 936656 web optional
sork-passwd-h3_3.0-2+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpYNVIACgkQ62zWxYk/rQfyTwCfVnMJfZ+NQhlxt3FHFqoQJTxh
hN8AoLTmsAo9G4w3k7picuU6EbHBOjnm
=4lKJ
-----END PGP SIGNATURE-----
--- End Message ---
