Your message dated Sun, 31 May 2020 14:43:26 +0000 with message-id <e1jfpbo-000a3h...@fasolo.debian.org> and subject line Bug#961649: fixed in php-horde-gollem 3.0.12-6 has caused the Debian Bug report #961649, regarding php-horde-gollem: CVE-2020-8034 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 961649: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961649 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-horde-gollem Version: 3.0.12-5 Severity: grave Tags: security upstream Control: found -1 3.0.12-3 Hi, The following vulnerability was published for php-horde-gollem. CVE-2020-8034[0]: | Gollem before 3.0.13, as used in Horde Groupware Webmail Edition | 5.2.22 and other products, is affected by a reflected Cross-Site | Scripting (XSS) vulnerability via the HTTP GET dir parameter in the | browser functionality, affecting breadcrumb output. An attacker can | obtain access to a victim's webmail account by making them visit a | malicious URL. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8034 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8034 [1] https://lists.horde.org/archives/announce/2020/001289.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-horde-gollem Source-Version: 3.0.12-6 Done: Mike Gabriel <sunwea...@debian.org> We believe that the bug you reported is fixed in the latest version of php-horde-gollem, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 961...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel <sunwea...@debian.org> (supplier of updated php-horde-gollem package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 31 May 2020 16:13:54 +0200 Source: php-horde-gollem Architecture: source Version: 3.0.12-6 Distribution: unstable Urgency: medium Maintainer: Horde Maintainers <team+debian-horde-t...@tracker.debian.org> Changed-By: Mike Gabriel <sunwea...@debian.org> Closes: 961649 Changes: php-horde-gollem (3.0.12-6) unstable; urgency=medium . * debian/patches: + Add CVE-2020-8034.patch. Fix XSS vulnerability in breadcrumb output (Reported by: polict of Shielder). (Closes: #961649). Checksums-Sha1: 4e85b6170d98ed48a28a69c38ed6233e27877e54 2067 php-horde-gollem_3.0.12-6.dsc 52bf13ef1fc004df726e98a838a26ba2e85ea39b 4328 php-horde-gollem_3.0.12-6.debian.tar.xz 8721330439f7ac1c403a6a555476762a24619bd4 7017 php-horde-gollem_3.0.12-6_source.buildinfo Checksums-Sha256: 98297a267ce877ef0207332ddc3faa6c2e8f780462aa20aac5c857b44b3e692d 2067 php-horde-gollem_3.0.12-6.dsc aadd3444a862d15dfedb9ad21f96c921f084ea1d11fe8a1d5dbe088f73f58faa 4328 php-horde-gollem_3.0.12-6.debian.tar.xz 35f70e7abdfa3d7963861be84a6eb6ae6dfbba0fda743779a12ad50728c6127a 7017 php-horde-gollem_3.0.12-6_source.buildinfo Files: c4cc390484b310e94c9b0557cac2a1d5 2067 php optional php-horde-gollem_3.0.12-6.dsc ca9dcf94e1f6beeb7255665570927010 4328 php optional php-horde-gollem_3.0.12-6.debian.tar.xz 86661b16338491e407fe389933d3686c 7017 php optional php-horde-gollem_3.0.12-6_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl7Tu7kVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxTIwP/3MLGG+60nBWvhYQyYFPe0RWQfF7 v4KUBr0byaDiYUmKmY9wIidW4o6k+f8Iq2QYL0vXmF5ri8NVi7KWyzTwfNcg+Vpv caQj+kwN6fpXj/xi7OTanl4fUVxhTTQ/jPYhaZ7F0AerdrjQE3Sk+gn0BicxPwrP uzcMCu1noNRtAdawo8PK+Ydm/q5YB9fuY5wW7E8Cc61nhPjM2/9ZXMGMQrLW0U0g 7VS0JMdAzkPSro19wKu1XnL0zSISIm/CpM8vZ9L8NTYVGD2796d+RLP/4jz6age8 A4X2/1gsOrUKKBF0BC4G2rr0kNjjgI6c/KyqZUZfNWtES0GPIZX/PJAicmsbcqWB XYgoNfjzVGNVvx4uiCDtMd+Z2zWaKABcTBvX1LbAAENmfwZRzsbwAEbG/2upTpT0 3xFMYcE1s+1XDxj7jeeYjiYTh5hAZ988x7t2wi6J/dALCOl6XwFs3rBGeibdz+Cu 9MYF4jzeLeAfY/REdLURIQP++n3F1fTPmP2cAIPaBdL3/pZarJAS+IvKLQO03hxW TFzYKCCu3yGB/iCjTfZPopSXi+//9IOZKzbyfo7lRw5kzc+GaLBuYmy1I6zyHitm sOFYXoBbGLWm9U4VCNxri42OidVPCCzmwuAOEhOdd4NTlTLM2LlPWjElPxkEnGGr AjS5rnBNPWfpBtt7 =qfx2 -----END PGP SIGNATURE-----
--- End Message ---
