Debian Bug report logs -
#813590
php-horde-core: CVE-2015-8807: XSS in Horde_Core_VarRenderer_Html
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#813590; Package php-horde-core.
(Wed, 03 Feb 2016 13:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Mathieu Parent <math.parent@gmail.com>:
New Bug report received and forwarded. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(Wed, 03 Feb 2016 13:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php-horde-core
Version: 2.22.5+debian0-1
Will post more info later.
--
Mathieu
Reply sent
to Mathieu Parent <math.parent@gmail.com>:
You have taken responsibility.
(Wed, 03 Feb 2016 13:30:08 GMT) (full text, mbox, link).
Notification sent
to Mathieu Parent <math.parent@gmail.com>:
Bug acknowledged by developer.
(Wed, 03 Feb 2016 13:30:08 GMT) (full text, mbox, link).
Message #10 received at 813590-done@bugs.debian.org (full text, mbox, reply):
Version: 2.22.4+debian0-1
Control: found -1 2.15.0+debian0-1
Control: tag -1 + security upstream fixed-upstream patch jessie
Control: forwarded -1
https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253
I need to fixit for jessie too.
Cheers
--
Mathieu
Marked as found in versions php-horde-core/2.15.0+debian0-1.
Request was from Mathieu Parent <math.parent@gmail.com>
to control@bugs.debian.org.
(Wed, 03 Feb 2016 13:39:03 GMT) (full text, mbox, link).
No longer marked as found in versions php-horde-core/2.22.5+debian0-1.
Request was from Mathieu Parent <math.parent@gmail.com>
to control@bugs.debian.org.
(Wed, 03 Feb 2016 13:39:04 GMT) (full text, mbox, link).
Added tag(s) jessie, fixed-upstream, security, patch, and upstream.
Request was from Mathieu Parent <math.parent@gmail.com>
to control@bugs.debian.org.
(Wed, 03 Feb 2016 13:39:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#813590; Package php-horde-core.
(Thu, 04 Feb 2016 13:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Mathieu Parent <math.parent@gmail.com>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(Thu, 04 Feb 2016 13:21:04 GMT) (full text, mbox, link).
Message #23 received at 813590@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Here is the patch for jessie.
--
Mathieu
[0001-Escape-form-value-fix-XSS-in-Horde_Core_VarRenderer_.patch (text/x-diff, attachment)]
Changed Bug title to 'php-horde-core: CVE-2015-8807: XSS in Horde_Core_VarRenderer_Html' from '[php-horde-core] XSS in Horde_Core_VarRenderer_Html'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 07 Feb 2016 05:30:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#813590; Package php-horde-core.
(Wed, 24 Feb 2016 21:42:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Mathieu Parent <math.parent@gmail.com>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(Wed, 24 Feb 2016 21:42:09 GMT) (full text, mbox, link).
Message #30 received at 813590@bugs.debian.org (full text, mbox, reply):
Hello,
I've proposed the changes to -security, without response yet.
See below.
---------- Forwarded message ----------
From: Mathieu Parent <math.parent@gmail.com>
Date: 2016-02-24 22:24 GMT+01:00
Subject: Re: Proposed changes to jessie
To: team@security.debian.org
2016-02-04 15:04 GMT+01:00 Mathieu Parent <math.parent@gmail.com>:
> Hello,
Pinging again.
> I have prepared security fixes for two Horde packages:
> - php-horde: https://bugs.debian.org/813573#26 XSS vulnerability in menu bar
Debdiff at: http://anonscm.debian.org/cgit/pkg-horde/PEAR/php-horde.git/diff/?id2=47c6d6e6ad0836d657eee75e36ef8dbd19c843d2&id=112b45b0403df87828e6cd620eb0e3d4fc3c7fa9
> - php-horde-core: https://bugs.debian.org/813590#23 XSS in
> Horde_Core_VarRenderer_Html
Debdiff at: http://anonscm.debian.org/cgit/pkg-horde/PEAR/php-horde-core.git/diff/?id2=d79e0d5424ba76351cde56701e061f91d241ec09&id=a98c8cb02edaaa0378771a7f21855aaafc883785
>
> Can I upload the two packages (this is already fixed in sid)?
Waiting for your answer.
> I have also prepared a ctdb regression update, which fix CTDB behavior
> under Linux after the fix for CVE-2015-8543:
> - https://bugs.debian.org/813406#25 ctdb, raw sockets and CVE-2015-8543
See http://anonscm.debian.org/cgit/pkg-samba/ctdb.git/commit/?h=debian-jessie&id=ec4e506686578cdf13b36ce18ec98cc5307b4e64
> Can I upload it?
Same.
> Can I make the same to wheezy once jessie is uploaded?
Same.
I think keeping those issues in place is not good.
Regards
--
Mathieu Parent
Reply sent
to Mathieu Parent <sathieu@debian.org>:
You have taken responsibility.
(Sat, 05 Mar 2016 22:36:08 GMT) (full text, mbox, link).
Notification sent
to Mathieu Parent <math.parent@gmail.com>:
Bug acknowledged by developer.
(Sat, 05 Mar 2016 22:36:08 GMT) (full text, mbox, link).
Message #35 received at 813590-close@bugs.debian.org (full text, mbox, reply):
Source: php-horde-core
Source-Version: 2.15.0+debian0-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
php-horde-core, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 813590@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathieu Parent <sathieu@debian.org> (supplier of updated php-horde-core package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 26 Feb 2016 13:18:06 +0100
Source: php-horde-core
Binary: php-horde-core
Architecture: source all
Version: 2.15.0+debian0-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Mathieu Parent <sathieu@debian.org>
Description:
php-horde-core - ${phppear:summary}
Closes: 813590
Changes:
php-horde-core (2.15.0+debian0-1+deb8u1) jessie-security; urgency=high
.
* CVE-2015-8807: Escape form value, fix XSS in Horde_Core_VarRenderer_Html
(Closes: #813590)
Checksums-Sha1:
c277689cf941ce3ab35ffd2b93b5a07f5decca28 2130 php-horde-core_2.15.0+debian0-1+deb8u1.dsc
074bb53e43905470410190561c2f8c4caaf86876 1277417 php-horde-core_2.15.0+debian0.orig.tar.gz
5eafb1333b0f6717e9df58e5fe33354594aa846a 4988 php-horde-core_2.15.0+debian0-1+deb8u1.debian.tar.xz
99dc6e20adef1f73eb61bc22902e22c6b1d86996 923778 php-horde-core_2.15.0+debian0-1+deb8u1_all.deb
Checksums-Sha256:
9ba62ea565d9a02b303e36ca1178d97eec7338223ae255a56c7df984c5efaff2 2130 php-horde-core_2.15.0+debian0-1+deb8u1.dsc
5aa660783113b39bc86ea60a45b80cb891fc26ff916e035d2825ee928afb3f7c 1277417 php-horde-core_2.15.0+debian0.orig.tar.gz
1d4f569a5b9244bc204cbda05d0818d262633f4dd4895b319d6372527a5d22a0 4988 php-horde-core_2.15.0+debian0-1+deb8u1.debian.tar.xz
e6a1b3686bc05357a3dc6ef03e9dbca410877a0f07e1f7bc4d9673915f97db0f 923778 php-horde-core_2.15.0+debian0-1+deb8u1_all.deb
Files:
3e6e4ed29bd822ca4c6b4b688ea97db7 2130 php extra php-horde-core_2.15.0+debian0-1+deb8u1.dsc
138b8b054989f34e0d7021759524bd7c 1277417 php extra php-horde-core_2.15.0+debian0.orig.tar.gz
f5fdafdbe8bb5e43dd8c07f6c6f4f4a3 4988 php extra php-horde-core_2.15.0+debian0-1+deb8u1.debian.tar.xz
3e417c67309cbc8c12869e06ab55187c 923778 php extra php-horde-core_2.15.0+debian0-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJW0L7OAAoJEK4DmARmaB+lxB0P/RDc1Gxe9afT+ramTFEyLzqm
za5bqEcZ+Ih45tmNteOIHoc/cEHTPAo+Fpp2eGTY27YtwU6VRS2YyYR/RiNGgCMd
hsDGi/ZwdbJBrPyRGI/0MMKTOpSYPMaa1gAqf8DHXvCL3HDJkucuLdS3pxz7cR0s
CV+M2f62Za3hNuOZ/G7ln/N4IB3gf13w7fYymTYhigS2ShUaQLh9s8puze09eqk1
ce28w1GKPl7ikqgVhAodgykc0TfUZV1BqebBcCN6Ss7WRUSz6N4xvPwCnrChikkg
SFs3TU7B6NiJu+5uGwuPhyc1RDJJ/h0RpDY/RhGHdIUQrShvilRUW09sSDkvN3gF
aigdMRkBm3ofcZf6BaoHpkKVf+9AVuJMZRPoIRqdAlDW9jEeTpiutyiybTvenFuk
wJs+PABhQOo+qRKq/P20DU04MSli8QZsieQeUD0vmceRMtZutb99ZylNfQGFmmio
xgR5gX56V7W8ozcxXmvY0ANNoKzfs6LzV7Iq5/RXB7FXDeeS3Gcp5qKSYGOaDFNu
cJkfz7UiyLId661ukbfV2o2Uml9fcEEPKFtuw62TTTtblSjMELGx19SNHhWhsMZY
E5Voj+Je1kTbUlcoTeX1j7AkPNWauojLmzBpyOM0VkSwG3FfmX3UhafKyXt0AHrV
87Mjl2uTYNifWmqdJyzY
=9Ey2
-----END PGP SIGNATURE-----
Message #36 received at 813590-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
[image: Inline image 1]
[Message part 2 (text/html, inline)]
[image.png (image/png, inline)]
[Dear Friend Attention Please..jpg (image/jpeg, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 01 May 2016 07:55:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:01:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon
