Your message dated Sat, 13 Jun 2020 15:47:09 +0000 with message-id <e1jk8nb-000ccq...@fasolo.debian.org> and subject line Bug#961649: fixed in php-horde-gollem 3.0.12-3+deb10u1 has caused the Debian Bug report #961649, regarding php-horde-gollem: CVE-2020-8034 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 961649: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961649 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-horde-gollem Version: 3.0.12-5 Severity: grave Tags: security upstream Control: found -1 3.0.12-3 Hi, The following vulnerability was published for php-horde-gollem. CVE-2020-8034[0]: | Gollem before 3.0.13, as used in Horde Groupware Webmail Edition | 5.2.22 and other products, is affected by a reflected Cross-Site | Scripting (XSS) vulnerability via the HTTP GET dir parameter in the | browser functionality, affecting breadcrumb output. An attacker can | obtain access to a victim's webmail account by making them visit a | malicious URL. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8034 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8034 [1] https://lists.horde.org/archives/announce/2020/001289.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-horde-gollem Source-Version: 3.0.12-3+deb10u1 Done: Mike Gabriel <sunwea...@debian.org> We believe that the bug you reported is fixed in the latest version of php-horde-gollem, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 961...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel <sunwea...@debian.org> (supplier of updated php-horde-gollem package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 31 May 2020 16:20:16 +0200 Source: php-horde-gollem Architecture: source Version: 3.0.12-3+deb10u1 Distribution: buster Urgency: medium Maintainer: Horde Maintainers <team+debian-horde-t...@tracker.debian.org> Changed-By: Mike Gabriel <sunwea...@debian.org> Closes: 961649 Changes: php-horde-gollem (3.0.12-3+deb10u1) buster; urgency=medium . * debian/patches: + Add CVE-2020-8034.patch. Fix XSS vulnerability in breadcrumb output (Reported by: polict of Shielder). (Closes: #961649, CVE-2020-8034). Checksums-Sha1: 2beadc2832b23a4513e2205b1134ee658c9a9be0 2091 php-horde-gollem_3.0.12-3+deb10u1.dsc 8bfb1711723b5f0d8428f4ba14e3bf008afc0ac6 3596 php-horde-gollem_3.0.12-3+deb10u1.debian.tar.xz 7927e622bb5c303a6ff023d19990057b9a037499 7049 php-horde-gollem_3.0.12-3+deb10u1_source.buildinfo Checksums-Sha256: 20a00b93b829a145f79c65febdca5c8f06addc8c17d4c6a54a22205896459ca2 2091 php-horde-gollem_3.0.12-3+deb10u1.dsc 5a30900841e5d0dd153abe7f5540cab2d2e2b7cd71cbf31791609267a91c7d50 3596 php-horde-gollem_3.0.12-3+deb10u1.debian.tar.xz fe55d9d0c7b10f3273a0c43cdb0fad7ea7dbe30a479597e6284df3b7852c78a2 7049 php-horde-gollem_3.0.12-3+deb10u1_source.buildinfo Files: d90fea314f311288cb9076d157c58ece 2091 php optional php-horde-gollem_3.0.12-3+deb10u1.dsc d6ab1f17dddf44ab95415ac911f2f30d 3596 php optional php-horde-gollem_3.0.12-3+deb10u1.debian.tar.xz c40ec6fe85a9a590e8539a4e3ec054dc 7049 php optional php-horde-gollem_3.0.12-3+deb10u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl7Tw40VHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxpV8P/2wc87SP3Dy1OG1I+Xb1OYpBAeC9 tl/p3GxSuPQIrsEMcu/tFg+hlPNxOnYuXrRNJdqgFYufYUQAAhw0uwf3vi++wCAJ jJzp5Swluj/HgBmA/2LMPxKsEyq/i/fybbj5ZSbqjodUQgBY7K3sqP2t6gRfchIM +XyXcMbJHLBRUC/vnwRiZS9lR1DYPJ1xy1n7CcQ4fLTsTEgT+s8l22mYqBEEpFgP 1KNdn6H6BBg/1v7HUtDB9JFOiz/aOGOrXnakTCEyQdbp5m9IXpW6TDBBrLgvpOp/ RgJwgZLw+uTjCQU0clL/v4eFAwfHiZtm9wAdK/6ekImPvlTGtmsrerS5J8JIMeSH m3HL2oV9TeocKRQAvxOUT2rFm3dAQ7DOh9UQLcwIulT/vofLfIQPDb3WoINMPkkr MMSpHEX4SD2K8+L6IStk+Qo8dXpDpPD8anhDHMYOP1ECkp0Z3cy5mrHLQ2d+tYIw SqpffPk9/LMDGWvSfQTagX2zTGgHjY7JZNFU/qkiX8SrVWKp3X6zHdww4C7WJiL1 aYt15elv7qnYoxII3G9WmKa8BF5jkKg95qDmEeNee4eqnFECU03tSncM8j/T1rOQ 6vCWDhDLF+t4tT/A3L3usZs2R+2LqVw0vkL7kzOruY5OxkRRwWu4ftsWm+O1hdiR b6u7vHAFQmK67j69 =NF7x -----END PGP SIGNATURE-----
--- End Message ---
