Your message dated Thu, 16 Feb 2012 10:00:00 +0100
with message-id <1329382800.2653.4.camel@scapa>
and subject line Re: Bug#660077: horde3: Remote execution backdoor after server
hack
has caused the Debian Bug report #660077,
regarding horde3: Remote execution backdoor after server hack
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
660077: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660077
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: horde3
Version: 3_3.3.12+debian0-2
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
a horde3 security issue is described here, which I would like to bring
to your attention
http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155
The version number of the compromised code matches what is in wheezy and sid
rd@blackbox:~$ apt-cache policy horde3
horde3:
Installiert: (keine)
Kandidat: 3.3.12+debian0-2
Versionstabelle:
3.3.12+debian0-2 0
500 http://ftp-stud.fht-esslingen.de/debian/ wheezy/main i386 Packages
300 http://ftp-stud.fht-esslingen.de/debian/ sid/main i386 Packages
rd@blackbox:~$
I know that is not the only prerequisite to be exposed to the security
issue, but I think even if not affected, closing this bug report and
documenting your assessment this way is the right way to deal with
this issue.
Many thanks,
Rainer
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing'), (300, 'unstable'), (200, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 3.1.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
On jeu., 2012-02-16 at 09:47 +0100, Rainer Dorsch wrote:
> Dear Maintainer,
>
> a horde3 security issue is described here, which I would like to bring
> to your attention
>
> http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155
>
> The version number of the compromised code matches what is in wheezy
> and sid
>
> rd@blackbox:~$ apt-cache policy horde3
> horde3:
> Installiert: (keine)
> Kandidat: 3.3.12+debian0-2
> Versionstabelle:
> 3.3.12+debian0-2 0
> 500 http://ftp-stud.fht-esslingen.de/debian/ wheezy/main i386
> Packages
> 300 http://ftp-stud.fht-esslingen.de/debian/ sid/main i386
> Packages
> rd@blackbox:~$
>
> I know that is not the only prerequisite to be exposed to the security
> issue, but I think even if not affected, closing this bug report and
> documenting your assessment this way is the right way to deal with
> this issue.
Did you miss the changelog for -2?:
http://packages.qa.debian.org/h/horde3/news/20120213T190314Z.html
Regards,
--
Yves-Alexis
signature.asc
Description: This is a digitally signed message part
--- End Message ---
