Your message dated Sat, 15 Mar 2008 23:17:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#470640: fixed in horde3 3.1.7-1
has caused the Debian Bug report #470640,
regarding horde3: CVE-2008-1284 file inclusion vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
470640: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470640
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: horde3
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for horde3.
CVE-2008-1284[0]:
| Directory traversal vulnerability in Horde 3.1.6, Groupware before
| 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with
| certain configurations, allows remote authenticated users to read and
| execute arbitrary files via ".." sequences and a null byte in the
| theme name.
Patch is on:
http://ftp.horde.org/pub/horde/patches/patch-horde-3.1.6-3.1.7.gz
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1284
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp7mnsBWkvKB.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: horde3
Source-Version: 3.1.7-1
We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:
horde3_3.1.7-1.diff.gz
to pool/main/h/horde3/horde3_3.1.7-1.diff.gz
horde3_3.1.7-1.dsc
to pool/main/h/horde3/horde3_3.1.7-1.dsc
horde3_3.1.7-1_all.deb
to pool/main/h/horde3/horde3_3.1.7-1_all.deb
horde3_3.1.7.orig.tar.gz
to pool/main/h/horde3/horde3_3.1.7.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <[EMAIL PROTECTED]> (supplier of updated horde3
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 15 Mar 2008 14:00:34 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.1.7-1
Distribution: unstable
Urgency: high
Maintainer: Horde Maintainers <[EMAIL PROTECTED]>
Changed-By: Gregory Colpart (evolix) <[EMAIL PROTECTED]>
Description:
horde3 - horde web application framework
Closes: 376935 470283 470640
Changes:
horde3 (3.1.7-1) unstable; urgency=high
.
* New upstream release.
* This new version has security fix: fix arbitrary file inclusion through
abuse of the theme preference (see CVE-2008-1284 for more informations).
(Closes: #470640)
* Fix typo in debian/rules comments.
* Add php-net-imap package in "Suggests" field. (Closes: #470283)
* Add libgeoip1 package in "Suggests" field. (Closes: #376935)
Files:
14d243b25373c84aa25f2bed8a830d53 1220 web optional horde3_3.1.7-1.dsc
c0e693f88d95e395671abbff2ab6df53 5288106 web optional horde3_3.1.7.orig.tar.gz
97b896348b65a9bd32fab1b0b7a28ead 11867 web optional horde3_3.1.7-1.diff.gz
4e58243e7fbf92ead9c3ba2d53b4d2e8 5330396 web optional horde3_3.1.7-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR9xVsWz0hbPcukPfAQJAZwf6AslkxvdbD3Tq8srDVa0bYZSR1/N221yd
lvjByIOfCYb+eT1QX9tvyJo4PyuLu2mK0xAyR3fVxt90pSKNuYkgNyV5IkwMSVO8
ZYEDc7xzsYkf7j/xyqV/TJKjwEVAKIiY5yKbG4CXXSO5XLJM4J1+Dzfg8amQMUH0
FPIqg/SytAWVxo/SW8R5qT8vhJEqGglsSbRzPv10vr0KrgGFyiz2RCQr4YhACC/M
JI7hN10cvwP6OYGSaixJuM3m/G8UqlneAEuQFxt/vWCLVCFvs/C1jq8m632wN5a5
R1yYRsElkLX73of/Z/yafX5+DmwFdXuU6igT1u98dbRGZt5OEW8YMA==
=nAVY
-----END PGP SIGNATURE-----
--- End Message ---
