Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Fix XSS with data:html links and form actions

Related Vulnerabilities: CVE-2016-5303  

Source

Debian Bug report logs - #837150
Fix XSS with data:html links and form actions

version graph

Package: php-horde-text-filter; Maintainer for php-horde-text-filter is Horde Maintainers <team+debian-horde-team@tracker.debian.org>; Source for php-horde-text-filter is src:php-horde-text-filter (PTS, buildd, popcon).

Reported by: Mathieu Parent <math.parent@gmail.com>

Date: Fri, 9 Sep 2016 09:12:02 UTC

Severity: important

Tags: buster, jessie, security, sid

Found in versions php-horde-text-filter/2.2.1-5, php-horde-text-filter/2.3.4-2

Fixed in version php-horde-text-filter/2.3.5-1

Done: Mathieu Parent <sathieu@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#837150; Package php-horde-text-filter. (Fri, 09 Sep 2016 09:12:05 GMT) (full text, mbox, link).

Acknowledgement sent to Mathieu Parent <math.parent@gmail.com>:
New Bug report received and forwarded. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Fri, 09 Sep 2016 09:12:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Mathieu Parent <math.parent@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Fix XSS with data:html links and form actions
Date: Fri, 9 Sep 2016 11:08:55 +0200
Package: php-horde-text-filter
Version: 2.3.4-2
Severity: important
Tags: security sid jessie
Control: found -1 2.2.1-5

Hello,

In the recent bunch of updates to Horde, I found this:

https://github.com/horde/horde/commit/30d5506c20d26efbb9942fbdc6f981a0bd333b97

Will upload lastest version to sid shortly, and I plan to fix this in
jessie too.

Regards

-- 
Mathieu

Marked as found in versions php-horde-text-filter/2.2.1-5. Request was from Mathieu Parent <math.parent@gmail.com> to submit@bugs.debian.org. (Fri, 09 Sep 2016 09:12:05 GMT) (full text, mbox, link).

Reply sent to Mathieu Parent <sathieu@debian.org>:
You have taken responsibility. (Fri, 09 Sep 2016 12:21:23 GMT) (full text, mbox, link).

Notification sent to Mathieu Parent <math.parent@gmail.com>:
Bug acknowledged by developer. (Fri, 09 Sep 2016 12:21:23 GMT) (full text, mbox, link).

Message #12 received at 837150-close@bugs.debian.org (full text, mbox, reply):

From: Mathieu Parent <sathieu@debian.org>
To: 837150-close@bugs.debian.org
Subject: Bug#837150: fixed in php-horde-text-filter 2.3.5-1
Date: Fri, 09 Sep 2016 12:19:33 +0000
Source: php-horde-text-filter
Source-Version: 2.3.5-1

We believe that the bug you reported is fixed in the latest version of
php-horde-text-filter, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 837150@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mathieu Parent <sathieu@debian.org> (supplier of updated php-horde-text-filter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 09 Sep 2016 13:54:11 +0200
Source: php-horde-text-filter
Binary: php-horde-text-filter
Architecture: source all
Version: 2.3.5-1
Distribution: unstable
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Mathieu Parent <sathieu@debian.org>
Description:
 php-horde-text-filter - ${phppear:summary}
Closes: 837150
Changes:
 php-horde-text-filter (2.3.5-1) unstable; urgency=high
 .
   * New upstream version 2.3.5
     + SECURITY: Fix XSS with data:html links and form actions.
       Closes: #837150 and urgency set to high
Checksums-Sha1:
 8c3aa4b91b9f1e446d2be2c916e0f7848e5fc99c 2142 php-horde-text-filter_2.3.5-1.dsc
 bceb5239ff979e427aa21c4a8342ce0034b07435 54438 php-horde-text-filter_2.3.5.orig.tar.gz
 769e8aaf197adb52dbb3bf7fe639eec2306441cb 3448 php-horde-text-filter_2.3.5-1.debian.tar.xz
 634d8543d3ac82df02a96449b0efe459f57cdb01 46996 php-horde-text-filter_2.3.5-1_all.deb
Checksums-Sha256:
 33dfee33594e5c67b29b0279f5bf808434790eb76be5ba3c1e6e50a45c83f830 2142 php-horde-text-filter_2.3.5-1.dsc
 e3e1027edc272e750dac8e85c16702e5c52f065f049903bf025503da7c9e034c 54438 php-horde-text-filter_2.3.5.orig.tar.gz
 6c351077f23227b8a93197b1cf3e8b177febab357f19f3bcbe9ef01445869f94 3448 php-horde-text-filter_2.3.5-1.debian.tar.xz
 ec78087f365784e4c636c86c905865468741e82a19296495075ba2d138145457 46996 php-horde-text-filter_2.3.5-1_all.deb
Files:
 10e41057e86ec75a03af4e93ebf3c84c 2142 php extra php-horde-text-filter_2.3.5-1.dsc
 387f7ca59173f38872af5a4eaea10b2a 54438 php extra php-horde-text-filter_2.3.5.orig.tar.gz
 a91b2ec79d3d0d8490ba2bff95dcc332 3448 php extra php-horde-text-filter_2.3.5-1.debian.tar.xz
 35be511a5845ffa2d72518c927a671c0 46996 php extra php-horde-text-filter_2.3.5-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX0qS3AAoJEK4DmARmaB+l9J0QALHMI1sYKhfTog0/4mAxd7Vv
QLJQWp1hupDDytR5UHwn9Y2Ntyj3JEw9+DUO2YwVkqSq5S12BYHDuOiCRugfvBnz
SsdMiIEfzrgyldMENA+2nADmF9orAG0cKkI9w+F+NQCy0pRBvdLIoDvQKR90FZgk
LGyWAnJWXeI9zN0vRB+IkdmIlG3nT3ZL1/Q9nNRFxYouJ5qWFDoamMhQfAj2QUt7
HO99rmLSfv4/LUlR1AwPyn0m8A2laJtizh0lZQha6db1qG7mfnJ0cl4UExkiz+Wz
JlDj2WAieMYyz7s+Cju1N/kjNwYlPgm9oDtzPwHXYIDR7qeQZxJgg0A0TJbcE8uT
3nBRQPKqkRDYsbIsQBIn/4Pg6MImf4MNTxNSb30xVn62hDzrzH3bSxTiBk6egtoc
NXvhbEApp0QLx2DR3wrD038o6qUyDQJEXkiT2k0FK9Udu0S74GqNZ8qKJCQiRUJb
8ZDoXAzV/nuaAeBvtAX71cdQbLs6ONrI4MIP7th7n2AYdLqDojI1+Vqj9cg4N/2X
nWuC4Yd4ET8jo65vu7U80vVJE5JWuEyKzbgcY7S0eJ63ftdfQL5zPrmCf2ef+WPz
JUoP9742RRJC+X+ZmaA7o5C9m6GGNET7kQI7qQJ4LXTSVR7LDCO6gxHY32u0KHGb
eqPuERF1mQ6o8h4YKM7/
=9qHk
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 05 Dec 2016 09:38:00 GMT) (full text, mbox, link).

Bug unarchived. Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Wed, 07 Dec 2016 01:55:29 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#837150; Package php-horde-text-filter. (Thu, 09 Mar 2017 14:33:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Thu, 09 Mar 2017 14:33:03 GMT) (full text, mbox, link).

Message #21 received at 837150@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Mathieu Parent <math.parent@gmail.com>, 837150@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Re: Bug#837150: Fix XSS with data:html links and form actions
Date: Thu, 9 Mar 2017 15:29:31 +0100
Hello!

On Fri, Sep 09, 2016 at 11:08:55AM +0200, Mathieu Parent wrote:
> Will upload lastest version to sid shortly, and I plan to fix this in
> jessie too.

Do you still plan to work on the jessie update as well? I would tend
to mark this (CVE-2016-5303, #837150) as no-dsa and propose to fix it
via an upcoming point release.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#837150; Package php-horde-text-filter. (Thu, 09 Mar 2017 14:42:08 GMT) (full text, mbox, link).

Acknowledgement sent to Mathieu Parent <math.parent@gmail.com>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Thu, 09 Mar 2017 14:42:08 GMT) (full text, mbox, link).

Message #26 received at 837150@bugs.debian.org (full text, mbox, reply):

From: Mathieu Parent <math.parent@gmail.com>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 837150@bugs.debian.org, Debian Security Team <team@security.debian.org>, 837148@bugs.debian.org, 837149@bugs.debian.org, 837151@bugs.debian.org
Subject: Re: Bug#837150: Fix XSS with data:html links and form actions
Date: Thu, 9 Mar 2017 15:39:46 +0100
2017-03-09 15:29 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>:
> Hello!

Hello Salvatore,

> On Fri, Sep 09, 2016 at 11:08:55AM +0200, Mathieu Parent wrote:
>> Will upload lastest version to sid shortly, and I plan to fix this in
>> jessie too.
>
> Do you still plan to work on the jessie update as well? I would tend
> to mark this (CVE-2016-5303, #837150) as no-dsa and propose to fix it
> via an upcoming point release.

No. Unfortunately, I won't have time.

Same for #837148, #837149 and #8371451.

Cheers,
-- 
Mathieu

Added tag(s) buster. Request was from ivodd@debian.org to control@bugs.debian.org. (Sun, 18 Jun 2017 09:56:40 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:11:47 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started