Your message dated Mon, 12 Sep 2005 08:32:08 -0700 with message-id <[EMAIL PROTECTED]> and subject line Bug#327727: fixed in courier 0.47-9 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 11 Sep 2005 18:18:05 +0000 >From [EMAIL PROTECTED] Sun Sep 11 11:18:05 2005 Return-path: <[EMAIL PROTECTED]> Received: from kitenet.net [64.62.161.42] (postfix) by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1EEWOz-0004zm-00; Sun, 11 Sep 2005 11:18:05 -0700 Received: from dragon.kitenet.net (cpe-66-207-84-23.wb.hsw.ntelos.net [66.207.84.23]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Joey Hess", Issuer "Joey Hess" (verified OK)) by kitenet.net (Postfix) with ESMTP id 102DD1821E for <[EMAIL PROTECTED]>; Sun, 11 Sep 2005 18:18:04 +0000 (GMT) Received: by dragon.kitenet.net (Postfix, from userid 1000) id A3A86BF6C5; Sun, 11 Sep 2005 14:18:12 -0400 (EDT) Date: Sun, 11 Sep 2005 14:18:11 -0400 From: Joey Hess <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: SqWebMail HTML Emails Script Insertion Vulnerability [CAN-2005-2769] Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="J/dobhs11T7y2rNN" Content-Disposition: inline X-Reportbug-Version: 3.17 X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]> User-Agent: Mutt/1.5.10i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE, X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02 --J/dobhs11T7y2rNN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: sqwebmail Severity: serious Version: 0.47-8 Tags: security Another cross site scripting bug has been found in sqwebmail. Note that this is different from #327181. http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/036622.html This is CAN-2005-2769. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.4.27 Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8) --=20 see shy jo --J/dobhs11T7y2rNN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDJHTjd8HHehbQuO8RAooTAKCCfAh2PTA/S+FkXMzbgr/+YzC+swCeOhd2 U2a3pjUKZ7JhrkwgYkwWOWE= =75RS -----END PGP SIGNATURE----- --J/dobhs11T7y2rNN-- --------------------------------------- Received: (at 327727-close) by bugs.debian.org; 12 Sep 2005 15:38:02 +0000 >From [EMAIL PROTECTED] Mon Sep 12 08:38:02 2005 Return-path: <[EMAIL PROTECTED]> Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1EEqHw-0007zJ-00; Mon, 12 Sep 2005 08:32:08 -0700 From: Stefan Hornburg (Racke) <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.56 $ Subject: Bug#327727: fixed in courier 0.47-9 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Mon, 12 Sep 2005 08:32:08 -0700 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-4.2 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER,MLM autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-CrossAssassin-Score: 3 Source: courier Source-Version: 0.47-9 We believe that the bug you reported is fixed in the latest version of courier, which is due to be installed in the Debian FTP archive: courier-authdaemon_0.47-9_i386.deb to pool/main/c/courier/courier-authdaemon_0.47-9_i386.deb courier-authmysql_0.47-9_i386.deb to pool/main/c/courier/courier-authmysql_0.47-9_i386.deb courier-authpostgresql_0.47-9_i386.deb to pool/main/c/courier/courier-authpostgresql_0.47-9_i386.deb courier-base_0.47-9_i386.deb to pool/main/c/courier/courier-base_0.47-9_i386.deb courier-doc_0.47-9_all.deb to pool/main/c/courier/courier-doc_0.47-9_all.deb courier-faxmail_0.47-9_i386.deb to pool/main/c/courier/courier-faxmail_0.47-9_i386.deb courier-imap-ssl_3.0.8-9_i386.deb to pool/main/c/courier/courier-imap-ssl_3.0.8-9_i386.deb courier-imap_3.0.8-9_i386.deb to pool/main/c/courier/courier-imap_3.0.8-9_i386.deb courier-ldap_0.47-9_i386.deb to pool/main/c/courier/courier-ldap_0.47-9_i386.deb courier-maildrop_0.47-9_i386.deb to pool/main/c/courier/courier-maildrop_0.47-9_i386.deb courier-mlm_0.47-9_i386.deb to pool/main/c/courier/courier-mlm_0.47-9_i386.deb courier-mta-ssl_0.47-9_i386.deb to pool/main/c/courier/courier-mta-ssl_0.47-9_i386.deb courier-mta_0.47-9_i386.deb to pool/main/c/courier/courier-mta_0.47-9_i386.deb courier-pcp_0.47-9_i386.deb to pool/main/c/courier/courier-pcp_0.47-9_i386.deb courier-pop-ssl_0.47-9_i386.deb to pool/main/c/courier/courier-pop-ssl_0.47-9_i386.deb courier-pop_0.47-9_i386.deb to pool/main/c/courier/courier-pop_0.47-9_i386.deb courier-ssl_0.47-9_i386.deb to pool/main/c/courier/courier-ssl_0.47-9_i386.deb courier-webadmin_0.47-9_i386.deb to pool/main/c/courier/courier-webadmin_0.47-9_i386.deb courier_0.47-9.diff.gz to pool/main/c/courier/courier_0.47-9.diff.gz courier_0.47-9.dsc to pool/main/c/courier/courier_0.47-9.dsc sqwebmail_0.47-9_i386.deb to pool/main/c/courier/sqwebmail_0.47-9_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Hornburg (Racke) <[EMAIL PROTECTED]> (supplier of updated courier package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 12 Sep 2005 16:29:35 +0200 Source: courier Binary: courier-authpostgresql courier-ldap courier-faxmail courier-pcp courier-authmysql courier-imap courier-authdaemon courier-base sqwebmail courier-ssl courier-pop courier-mta courier-webadmin courier-imap-ssl courier-doc courier-mlm courier-maildrop courier-mta-ssl courier-pop-ssl Architecture: source i386 all Version: 0.47-9 Distribution: unstable Urgency: high Maintainer: Stefan Hornburg (Racke) <[EMAIL PROTECTED]> Changed-By: Stefan Hornburg (Racke) <[EMAIL PROTECTED]> Description: courier-authdaemon - Courier Mail Server - Authentication daemon courier-authmysql - Courier Mail Server - MySQL authentication courier-authpostgresql - Courier Mail Server - PostgreSQL Authentication courier-base - Courier Mail Server - Base system courier-doc - Courier Mail Server - Additional documentation courier-faxmail - Courier Mail Server - Faxmail gateway courier-imap - Courier Mail Server - IMAP server courier-imap-ssl - Courier Mail Server - IMAP over SSL courier-ldap - Courier Mail Server - LDAP support courier-maildrop - Courier Mail Server - Mail delivery agent courier-mlm - Courier Mail Server - Mailing list manager courier-mta - Courier Mail Server - ESMTP daemon courier-mta-ssl - Courier Mail Server - ESMTP over SSL courier-pcp - Courier Mail Server - PCP server courier-pop - Courier Mail Server - POP3 server courier-pop-ssl - Courier Mail Server - POP3 over SSL courier-ssl - Courier Mail Server - SSL/TLS Support courier-webadmin - Courier Mail Server - Web-based administration frontend sqwebmail - Courier Mail Server - Webmail server Closes: 327162 327181 327727 Changes: courier (0.47-9) unstable; urgency=high . * applied extended patch for cross-side scripting issues in sqwebmail to filter out certain MSIE-only scripting constructs (Closes: #327181, thanks to Martin Schulze <[EMAIL PROTECTED]> for the original report), also fixes the issue described in [CAN-2005-2769] (Closes: #327727) * fix FTBFS due to changed behaviour of find binary (Closes: #327162, thanks to Matt Kraai <[EMAIL PROTECTED]> for the report and Willi Mann <[EMAIL PROTECTED]> for the patch) Files: 7a27993758a665b13e0b5987f168ab1a 1204 mail optional courier_0.47-9.dsc b4ddeb073853383802ccbd64cfde0c1f 96316 mail optional courier_0.47-9.diff.gz 955317454bc303bfe9165c7b1357de20 370728 doc optional courier-doc_0.47-9_all.deb db5edb0aeba8f4d5ee58ed855adb5bf4 233322 mail optional courier-base_0.47-9_i386.deb bad49d635ad244af873b3fd300054572 931692 mail optional courier-maildrop_0.47-9_i386.deb cae0359903dcb8bf9f03390a1c69629a 109462 mail optional courier-mlm_0.47-9_i386.deb acc637e9e98346d5e879cb052b01fcb4 2077492 mail extra courier-mta_0.47-9_i386.deb b807bde7714b913d9cc30767a1bb7829 28992 mail optional courier-faxmail_0.47-9_i386.deb 89ab2373983705d3d22508bb384838df 34940 mail optional courier-webadmin_0.47-9_i386.deb 71a4f410b0a23391d12e476392216c07 779502 mail optional sqwebmail_0.47-9_i386.deb f4edbeab7549b60afa9bf6b9ed1d0398 60836 mail optional courier-pcp_0.47-9_i386.deb 6627882a81be5571fae7a05945f3cd69 417414 mail extra courier-pop_0.47-9_i386.deb 458c519419b6cb1f7cdcb2b98c1cd0bb 66746 mail optional courier-ldap_0.47-9_i386.deb ae25dc1fab7810fadbe1165e77a60c64 55698 mail optional courier-authdaemon_0.47-9_i386.deb 35a2614a18926fa9c44556ef6a41c17e 51954 mail optional courier-authmysql_0.47-9_i386.deb f51bd30184158a75c40f6c572c3ffc20 192176 mail optional courier-ssl_0.47-9_i386.deb 4c8159ce12e441860b900f76035cdcd3 19456 mail extra courier-mta-ssl_0.47-9_i386.deb b72d696ca176a0c114717d4ed3ba7666 21060 mail optional courier-pop-ssl_0.47-9_i386.deb dd0c4c846fd6a72dbf0a6c831f23164f 52032 mail optional courier-authpostgresql_0.47-9_i386.deb 982eb51b165fc0613ba9e02e47a00ba1 938980 mail extra courier-imap_3.0.8-9_i386.deb b52fd6d2fa9b54846d8562e86bc6e4d6 21266 mail extra courier-imap-ssl_3.0.8-9_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDJZswjgVfE5tya3ERAncHAJ9T1MZFbNGipc6fif3BvtDIFRXMbgCePwJ/ YumpQfn4xNOxhhRF3Ks2J18= =5+NS -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]