Your message dated Mon, 15 Jun 2020 19:02:24 +0000 with message-id <e1jkune-0006b2...@fasolo.debian.org> and subject line Bug#961649: fixed in php-horde-gollem 3.0.10-1+deb9u1 has caused the Debian Bug report #961649, regarding php-horde-gollem: CVE-2020-8034 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 961649: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961649 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-horde-gollem Version: 3.0.12-5 Severity: grave Tags: security upstream Control: found -1 3.0.12-3 Hi, The following vulnerability was published for php-horde-gollem. CVE-2020-8034[0]: | Gollem before 3.0.13, as used in Horde Groupware Webmail Edition | 5.2.22 and other products, is affected by a reflected Cross-Site | Scripting (XSS) vulnerability via the HTTP GET dir parameter in the | browser functionality, affecting breadcrumb output. An attacker can | obtain access to a victim's webmail account by making them visit a | malicious URL. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8034 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8034 [1] https://lists.horde.org/archives/announce/2020/001289.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-horde-gollem Source-Version: 3.0.10-1+deb9u1 Done: Mike Gabriel <sunwea...@debian.org> We believe that the bug you reported is fixed in the latest version of php-horde-gollem, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 961...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel <sunwea...@debian.org> (supplier of updated php-horde-gollem package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 31 May 2020 16:43:57 +0200 Source: php-horde-gollem Architecture: source Version: 3.0.10-1+deb9u1 Distribution: stretch Urgency: medium Maintainer: Horde Maintainers <pkg-horde-hack...@lists.alioth.debian.org> Changed-By: Mike Gabriel <sunwea...@debian.org> Closes: 961649 Changes: php-horde-gollem (3.0.10-1+deb9u1) stretch; urgency=medium . * debian/patches: + Add CVE-2020-8034.patch. Fix XSS vulnerability in breadcrumb output (Reported by: polict of Shielder). (Closes: #961649, CVE-2020-8034). Checksums-Sha1: 65b44aafa3883cb508a5ab566f0df56ef06ffeb3 2108 php-horde-gollem_3.0.10-1+deb9u1.dsc 808934a8d7514eb07e3d271bca7f9e044d4120f3 3460 php-horde-gollem_3.0.10-1+deb9u1.debian.tar.xz 63affaf3575e68fe93be5467ae07bb7fce04538f 7045 php-horde-gollem_3.0.10-1+deb9u1_source.buildinfo Checksums-Sha256: a8fa494ad3351254fbf9c4db962cc1b219d460bdd28576b9d3c68290f89cb85a 2108 php-horde-gollem_3.0.10-1+deb9u1.dsc 35e13ca3d0161028454ad3ddb4f3072950483b691d5f7ab157963adad1d43f86 3460 php-horde-gollem_3.0.10-1+deb9u1.debian.tar.xz d75c943ce8ead8bd13adb5dc11fd35ceb047dca749ac3054ca94d8ba392253dc 7045 php-horde-gollem_3.0.10-1+deb9u1_source.buildinfo Files: 66e777310dafb63c5a54a1ce041e2af2 2108 php extra php-horde-gollem_3.0.10-1+deb9u1.dsc 3d8a7c0405e095e12971d203670b375a 3460 php extra php-horde-gollem_3.0.10-1+deb9u1.debian.tar.xz c64c93b8cdbeade0c3a991749e8fada8 7045 php extra php-horde-gollem_3.0.10-1+deb9u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl7Tw0UVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxxbEP/2KNyYofFudcwyriU4xUY7TB82Rj w82y8yMmzhRA9y16q6plCRDCpC49f3JYA5b61nWiXizINrFUCsA4wyQgUVbNtFaR QF5ORX4Ox1YktGh6yBBc8eZAi/Il2cuG9ZV2/lW10jc/v7qWx2IoUPXNkvuo9hd4 SVskG0gz6jAyCxBpFIXyWFR3rcaM/Ear1ysdt9vTfSzGjoizwk9hmFlZynB/1lhN pfgf8kaolq9Tf9HaKEU2dNnpZr9t03SN5N5ZfOYiW9bvwfkE+SbfZp8ZNQOJKr2u WBoV0KgKJlJ0DHk/hI3XzAQWnc3w3MEHh8zEuxfU8ZTPpeCoubvrZpXcPCUMciKE b2y2+IF6oU08EmTmx1UtL2y+5jIXoPVjkG6E6oqu3FzRUYX/XuCMJZSCPlSHB4Gn K5qy0hZoYNFAYt+iKNJ7pn+RnNxH8vPSO0nyhsW94AoJ6tK4OmitVTWmDEdr0pR0 MxRBinPS8bCWQS21CrkBrDhiRLRMRts/OJ1N3pheUEYvZDWISfLtnVwjwu/KIkCT 3BQ2ERQfLvKuqw7X0xzT7wejNWiEdfNoRlw5wLfcPi1LzHWONIjI/EsyWSfU9rYt DT0oAt8dZju4zxZ+ViFx5vuFzqjWlbJ44zROfxJZXbUbcWZzdWcane3DLqq4+ta/ kSqvL2rq5KSgCuwZ =Z4kJ -----END PGP SIGNATURE-----
--- End Message ---
