Your message dated Mon, 13 Jul 2009 19:53:56 +0000
with message-id <[email protected]>
and subject line Bug#536554: fixed in sork-passwd-h3 3.0-2+etch1
has caused the Debian Bug report #536554,
regarding CVE-2009-2360: Cross-site scripting vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
536554: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536554
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: sork-passwd-h3
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for sork-passwd-h3.
CVE-2009-2360[0]:
| Cross-site scripting (XSS) vulnerability in passwd/main.php in the
| Passwd module before 3.1.1 for Horde allows remote attackers to inject
| arbitrary web script or HTML via the backend parameter.
The upstream patch can be found here[1].
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2360
http://security-tracker.debian.net/tracker/CVE-2009-2360
[1] http://bugs.horde.org/ticket/8398
--- End Message ---
--- Begin Message ---
Source: sork-passwd-h3
Source-Version: 3.0-2+etch1
We believe that the bug you reported is fixed in the latest version of
sork-passwd-h3, which is due to be installed in the Debian FTP archive:
sork-passwd-h3_3.0-2+etch1.diff.gz
to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+etch1.diff.gz
sork-passwd-h3_3.0-2+etch1.dsc
to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+etch1.dsc
sork-passwd-h3_3.0-2+etch1_all.deb
to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+etch1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <[email protected]> (supplier of updated sork-passwd-h3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 11 Jul 2009 08:36:29 +0200
Source: sork-passwd-h3
Binary: sork-passwd-h3
Architecture: source all
Version: 3.0-2+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Horde Maintainers <[email protected]>
Changed-By: Steffen Joeris <[email protected]>
Description:
sork-passwd-h3 - Horde3 module for users to change their password
Closes: 536554
Changes:
sork-passwd-h3 (3.0-2+etch1) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team
* Fix XSS in backend parameter (Closes: #536554)
Fixes: CVE-2009-2360
Files:
9c114c8b4abf6db6b91a94f4e0359f77 722 web optional
sork-passwd-h3_3.0-2+etch1.dsc
ca5612500c91c4ef3c838e8e94376332 966096 web optional
sork-passwd-h3_3.0.orig.tar.gz
f8bdcfd6195df252914144f2a9e78869 8070 web optional
sork-passwd-h3_3.0-2+etch1.diff.gz
8827158aa7959c230edd2f264061309d 936654 web optional
sork-passwd-h3_3.0-2+etch1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpYM8oACgkQ62zWxYk/rQea5ACeIG1aDbaxo8vGRTpkPBVLJd1B
HT0An3n3cmn4tUTvhykhHHlC6QM0Gfki
=RbWq
-----END PGP SIGNATURE-----
--- End Message ---
