Your message dated Sat, 25 Jul 2009 19:39:28 +0100
with message-id <[email protected]>
and subject line phpicalendar has been removed from Debian, closing #513517
has caused the Debian Bug report #513517,
regarding phpicalendar: Several vulnarbilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
513517: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513517
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: phpicalendar
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for phpicalendar.
CVE-2008-5840[0]:
| PHP iCalendar 2.24 and earlier allows remote attackers to bypass
| authentication by setting the phpicalendar and phpicalendar_login
| cookies to 1.
CVE-2008-5967[1]:
| admin/index.php in PHP iCalendar 2.3.4, 2.24, and earlier does not
| require administrative authentication for an addupdate action, which
| allows remote attackers to upload a calendar (aka .ics) file with
| arbitrary content to the calendars/ directory outside the web root.
CVE-2008-5968[2]:
| Directory traversal vulnerability in print.php in PHP iCalendar 2.24
| and earlier allows remote attackers to include and execute arbitrary
| local files via a .. (dot dot) in the cookie_language parameter in a
| phpicalendar_* cookie, a different vector than CVE-2006-1292.
These issues read like common issues in php apps and I am wondering,
whether phpicalendar is ready for a stable debian release. I think it
should receive an audit first.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5840
http://security-tracker.debian.net/tracker/CVE-2008-5840
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5967
http://security-tracker.debian.net/tracker/CVE-2008-5967
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5968
http://security-tracker.debian.net/tracker/CVE-2008-5968
--- End Message ---
--- Begin Message ---
Version: 2.24-2+rm
The phpicalendar package has been removed from Debian so we are closing
the bugs that were still opened against it.
For more information about this package's removal, read
http://bugs.debian.org/536766 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
Kind regards,
--
Marco Rodrigues
--- End Message ---
