Your message dated Tue, 30 Jun 2020 09:04:19 +0000
with message-id <e1jqcbf-0001ey...@fasolo.debian.org>
and subject line Bug#955020: fixed in php-horde-form 2.0.20-1
has caused the Debian Bug report #955020,
regarding php-horde-form: CVE-2020-8866
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
955020: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955020
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: php-horde-form
Version: 2.0.19-1
Severity: important
Tags: security upstream
Control: found -1 2.0.18-3.1
Control: found -1 2.0.15-1+deb9u1
Control: found -1 2.0.15-1
Hi,
The following vulnerability was published for php-horde-form.
CVE-2020-8866[0]:
| This vulnerability allows remote attackers to create arbitrary files
| on affected installations of Horde Groupware Webmail Edition 5.2.22.
| Authentication is required to exploit this vulnerability. The specific
| flaw exists within add.php. The issue results from the lack of proper
| validation of user-supplied data, which can allow the upload of
| arbitrary files. An attacker can leverage this in conjunction with
| other vulnerabilities to execute code in the context of the www-data
| user. Was ZDI-CAN-10125.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-8866
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8866
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: php-horde-form
Source-Version: 2.0.20-1
Done: Mike Gabriel <sunwea...@debian.org>
We believe that the bug you reported is fixed in the latest version of
php-horde-form, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 955...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <sunwea...@debian.org> (supplier of updated php-horde-form package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 30 Jun 2020 10:36:20 +0200
Source: php-horde-form
Architecture: source
Version: 2.0.20-1
Distribution: unstable
Urgency: medium
Maintainer: Horde Maintainers <team+debian-horde-t...@tracker.debian.org>
Changed-By: Mike Gabriel <sunwea...@debian.org>
Closes: 955020
Changes:
php-horde-form (2.0.20-1) unstable; urgency=medium
.
[ Juri Grabowski ]
* New upstream version 2.0.20
* SECURITY: Prevent ability to specify temporary filename (CVE-2020-8866)
(Closes: #955020).
.
[ Mike Gabriel ]
* d/salsa-ci.yml: Add file with salsa-ci.yml and pipeline-jobs.yml calls.
* d/control: Bump DH compat level to version 13.
* d/control: Add to Uploaders: Juri Grabowski.
Checksums-Sha1:
af5162b88ec4318ab69db428b36ebda4a94180a7 2063 php-horde-form_2.0.20-1.dsc
fa7b0bb1c927176c54c38cf94b886e6291c84cad 198229
php-horde-form_2.0.20.orig.tar.gz
ad0747258858e8623ea6eb14370b16e57d414b03 3368
php-horde-form_2.0.20-1.debian.tar.xz
dfcbeabbba8264ae4a7573fecd19083be7b15b17 7024
php-horde-form_2.0.20-1_source.buildinfo
Checksums-Sha256:
f3945070f3b2ee8590ae3b59977076debf7398fc82c45b552e02f7c310bc6790 2063
php-horde-form_2.0.20-1.dsc
dc2c993464d7f192c938cfbb4cbe9630bce6d23ce141a0a52efb83a71b99e177 198229
php-horde-form_2.0.20.orig.tar.gz
70f21b9803a04088f7aad3edbe64c6234991bb749d5ba5df9bb00c8ae9e3d682 3368
php-horde-form_2.0.20-1.debian.tar.xz
28de4848d620b05c9dce02a8aea9a0998ecb8f4e6d62538923e1b1d6d6634ace 7024
php-horde-form_2.0.20-1_source.buildinfo
Files:
8b4434af56523a74cb0dade900cc697b 2063 php optional php-horde-form_2.0.20-1.dsc
6a7a2b3d5c7163fe68b0587aaeef6361 198229 php optional
php-horde-form_2.0.20.orig.tar.gz
3dcd1c2b70f54a775a68ad08a98c81ae 3368 php optional
php-horde-form_2.0.20-1.debian.tar.xz
ce7863a7a0d959101ef378496e5ae61c 7024 php optional
php-horde-form_2.0.20-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl76+aQVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxB9YQAJU1FYbED48AZCofeDmtqTSG9/vc
02PWbrpXE6l5jTooFHg6oIKXJeIuUsI8I8Sk8BYO3KT0Z5b/yfvQMbN8Y2x+MZo2
WnHbyS/rk2E2C2BZgb/WSRocjZnguWr5VtHPg1MIJtv445bvO7gY8S+5uCO1jV3q
efElXd+uu+SR9kzgfvLy5NHQR6UTx2bRwuhkjOtpYVq8H2pAoQTBpDBWhIkrZ0Mi
9Xct+xu4iSyyxijP8EphV/vG3oJGJf1ZixQ93h/VDKRfAJAb5RHMwJC5eHqtOBHV
nB+VXWuS+exq9wfrH7zxizE7f4PtJFQeToEYIe/g7lIMiLM0vSPUYI+LB8Z/CTMS
8VDOaRsxeesIzubCh9rwVGOQreWbHAh6Ju3e+cEelcK8zLMZRZuaYiMfOyOXZ/Ep
tNQIakB8O0sxsVKbmMXCgDFyiHiG9Bbha7elIQ+3kUTHP0MjRrky4idHiZIbKyth
NqNduNbRza9wWU6yWV8RdmDU9maC0c6V/gReualYiQF1xUu/Nb05Fg7nN6MaCrCn
UAekhEuH7ze3EHMc+kqwqmWr1MattjkbOwXJI6UB0LarTeqyBYV329q62lS6yAQp
7nNnWhXDurccVEq9/nUe6qaEi+K1KIO/dSY93dE3pY0rLwtOsVQEEy3khwt8XteS
UXNPGFuoPa8t8ZSR
=bvCH
-----END PGP SIGNATURE-----
--- End Message ---