Your message dated Sun, 18 Jan 2026 11:06:23 +0000
with message-id <[email protected]>
and subject line Bug#1101015: fixed in hoteldruid 3.0.8-1
has caused the Debian Bug report #1101015,
regarding hoteldruid: CVE-2025-25747 CVE-2025-25748 CVE-2025-25749
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1101015: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101015
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: hoteldruid
Version: 3.0.6-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for hoteldruid.
CVE-2025-25747[0]:
| Cross Site Scripting vulnerability in DigitalDruid HotelDruid
| v.3.0.7 allows an attacker to execute arbitrary code and obtain
| sensitive information via the ripristina_backup parameter in the
| crea_backup.php endpoint
CVE-2025-25748[1]:
| A CSRF vulnerability in the gestione_utenti.php endpoint of
| HotelDruid 3.0.7 allows attackers to perform unauthorized actions
| (e.g., modifying user passwords) on behalf of authenticated users by
| exploiting the lack of origin or referrer validation and the absence
| of CSRF tokens. NOTE: this is disputed because there is an
| id_sessione CSRF token.
CVE-2025-25749[2]:
| An issue in HotelDruid version 3.0.7 and earlier allows users to set
| weak passwords due to the lack of enforcement of password strength
| policies.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-25747
https://www.cve.org/CVERecord?id=CVE-2025-25747
[1] https://security-tracker.debian.org/tracker/CVE-2025-25748
https://www.cve.org/CVERecord?id=CVE-2025-25748
[2] https://security-tracker.debian.org/tracker/CVE-2025-25749
https://www.cve.org/CVERecord?id=CVE-2025-25749
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: hoteldruid
Source-Version: 3.0.8-1
Done: Marco Maria Francesco De Santis <[email protected]>
We believe that the bug you reported is fixed in the latest version of
hoteldruid, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marco Maria Francesco De Santis <[email protected]> (supplier of updated
hoteldruid package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 05 Dec 2025 12:02:26 +0000
Source: hoteldruid
Architecture: source
Version: 3.0.8-1
Distribution: unstable
Urgency: low
Maintainer: Marco Maria Francesco De Santis <[email protected]>
Changed-By: Marco Maria Francesco De Santis <[email protected]>
Closes: 1101015 1108154 1122815 1123490 1123636 1123717 1124091 1124281
Changes:
hoteldruid (3.0.8-1) unstable; urgency=low
.
* New upstream release
- Fixes XSS, weak passwords and DoS vulnerabilities.
(Ref: CVE-2025-25747, CVE-2025-25748, CVE-2025-25749, CVE-2025-44203,
CVE-2025-55816)
(Closes: #1101015, #1108154, #1122815)
* debian/control: updated Standards-Version (no changes needed) and new
Vcs-Git and Vcs-Browser fields.
* debian/install: added 128x128 png icon and updated other logo icons.
* debian/watch: updated format to version 5.
* debian/config: added check for weak passwords.
* Added lintian overrides for pedantic level.
* new Catalan debconf translation by poc senderi. (Closes: #1123636)
* new Galician debconf translation by Pablo.
* new Turkish debconf translation by Nuri KÜÇÜKLER.
* updated German debconf translation by Helge Kreutzmann.
(Closes: #1123717)
* updated Dutch debconf translation by Frans Spiesschaert.
* updated Polish debconf translation by Marcin Owsiany.
* updated Swedish debconf translation by Anders Jonsson.
(Closes: #1123490)
* updated Russian debconf translation by Alexander Golubev.
* updated French debconf translation by Jean-Pierre Giraud.
* updated Portuguese debconf translation by Américo Monteiro.
(Closes: #1124091)
* updated Brazilian Portuguese debconf translation by Adriano Rafael
Gomes. (Closes: #1124281)
* updated Italian and Spanish debconf translations.
Checksums-Sha1:
f71ef30c498cd3e3858fa84db980f489f1c15e8f 2206 hoteldruid_3.0.8-1.dsc
94ce725aeb8b89ef3a6f460e71aa1698acecbbbc 2481345 hoteldruid_3.0.8.orig.tar.gz
25be9c6bbed3c877782ff2601ec4eb3df37a8b2f 833 hoteldruid_3.0.8.orig.tar.gz.asc
aa9afc4f580497c0ed2924cd96814eb1db496221 65564 hoteldruid_3.0.8-1.debian.tar.xz
1626c252380ad6251c6bd6c931bc3254fd106649 6084
hoteldruid_3.0.8-1_source.buildinfo
Checksums-Sha256:
4f632f20971fcde9bc305b9e62711f927e8206b99b6f19470c49c89a009421ec 2206
hoteldruid_3.0.8-1.dsc
2ce39be6b869e230effd7a48d8f0e8da4cf0c6eb2259401087f9cae9fdfdd81d 2481345
hoteldruid_3.0.8.orig.tar.gz
51cb83b74cfc462959407ccee928d00daaafe6af9f6fc8c746b0b3fa35142578 833
hoteldruid_3.0.8.orig.tar.gz.asc
f677c669d9bccef009298db35927dfad2c2636208e7d814e6255a38fbdc8afea 65564
hoteldruid_3.0.8-1.debian.tar.xz
34347c97be79f5c11d2fc24516f9b9359d769f6197ef4f6a9fabae5a6f73a197 6084
hoteldruid_3.0.8-1_source.buildinfo
Files:
873f2aad98fbc9849ce67a25c8e45399 2206 web optional hoteldruid_3.0.8-1.dsc
e9e30ae1cf15f6f767a1c99ee7b914a9 2481345 web optional
hoteldruid_3.0.8.orig.tar.gz
bb9974e0d9616a4a0f05a7b7373917e0 833 web optional
hoteldruid_3.0.8.orig.tar.gz.asc
844946587149a94bd9fbc162817426ea 65564 web optional
hoteldruid_3.0.8-1.debian.tar.xz
2e569bcefe784f8a17cdd470df49ad5f 6084 web optional
hoteldruid_3.0.8-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEj23hBDd/OxHnQXSHMfMURUShdBoFAmlsteAACgkQMfMURUSh
dBoQsxAAoaZ+RbAtUmqYgaaBeIzQvK19l0MYZVGTcmPug+XuwClEbOCIlA4qv9G0
qbII0ZlXSc4j1uCax8aSbG/H5L3uUJ6O70uWDSLySyjeOAHzP1KEPTKxHjDcnAmk
oB9x23UlnFimkjLvoPZhtJK08U5JpAC9rH5GjsEFJh2kV94Ug8t6UP/ygBf/uYYv
VC/et3hfLyHK1I0u/DbKXnMAkOP/fSpFdE77sqioZ4YL9zceqlzj5fmeQiMUiE0r
C3mLn254Y3GFShz6rqCqP+xTsdv59l9UWe4iUvrXG02sXIn3ME7vCDGe0l+w1dcx
P8VzLlOK+P/WpO/AVXaKWIHcocRcD3BVrJYypknkzV3fSK7UgcwYVhvcurGUuMsW
EH9qI1d4bGmKInrf98PY5jb/Mfs7d/kpmhOjt06n8yhRS0mr5+rN/r28/882pwIi
Fvx7qpzx6/GcNDs8siwLZkOiO5vyZBEvxzNEoJyzba1//dIfoJbOFPMM5ahx6WOa
HYfRNzyCRxD4qhfnJeBpVkqSaopfBaaOellyBUT2mSy2dTBlJbsXRq6G+ehPrSXM
X2fX20P3k4nNDiY9iraAAbFPOwvHMFxZWh6vUgCIOaJvi2PKo0BdFpxQf301uqM/
mB15rkjusQvksKnCc5X7lvgkSh7ov8cVxg75NLFeTfZYEe4zbV4=
=j5GU
-----END PGP SIGNATURE-----
pgpeqbOwIj5c9.pgp
Description: PGP signature
--- End Message ---
