Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

php-horde-kronolith: CVE-2017-16906 XSS via URL field

Related Vulnerabilities: CVE-2017-16906   CVE-2017-16908  

Source

Debian Bug report logs - #909737
php-horde-kronolith: CVE-2017-16906 XSS via URL field

version graph

Package: php-horde-kronolith; Maintainer for php-horde-kronolith is Horde Maintainers <team+debian-horde-team@tracker.debian.org>; Source for php-horde-kronolith is src:php-horde-kronolith (PTS, buildd, popcon).

Reported by: Markus Koschany <apo@debian.org>

Date: Thu, 27 Sep 2018 13:09:01 UTC

Severity: grave

Tags: security, upstream

Found in versions php-horde-kronolith/4.2.2-4, php-horde-kronolith/4.2.19-1, php-horde-kronolith/4.2.23-3

Fixed in version php-horde-kronolith/4.2.24-1

Done: Mathieu Parent <sathieu@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Horde Maintainers <team+debian-horde-team@tracker.debian.org>:
Bug#909737; Package php-horde-kronolith. (Thu, 27 Sep 2018 13:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Horde Maintainers <team+debian-horde-team@tracker.debian.org>. (Thu, 27 Sep 2018 13:09:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: submit@bugs.debian.org
Subject: php-horde-kronolith: CVE-2017-16906 XSS via URL field
Date: Thu, 27 Sep 2018 15:05:02 +0200
[Message part 1 (text/plain, inline)]
Package: php-horde-kronolith
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for php-horde-kronolith.

CVE-2017-16906[0]:
| In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a
| "Calendar -&gt; New Event" action.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-16906
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16906

Please adjust the affected versions in the BTS as needed.


[signature.asc (application/pgp-signature, attachment)]

Marked as found in versions php-horde-kronolith/4.2.2-4. Request was from Markus Koschany <apo@debian.org> to control@bugs.debian.org. (Thu, 27 Sep 2018 13:33:03 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 27 Sep 2018 18:36:04 GMT) (full text, mbox, link).

Marked as found in versions php-horde-kronolith/4.2.23-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 27 Sep 2018 18:36:05 GMT) (full text, mbox, link).

Marked as found in versions php-horde-kronolith/4.2.19-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 27 Sep 2018 18:36:06 GMT) (full text, mbox, link).

Message sent on to Markus Koschany <apo@debian.org>:
Bug#909737. (Mon, 08 Oct 2018 07:57:13 GMT) (full text, mbox, link).

Message #16 received at 909737-submitter@bugs.debian.org (full text, mbox, reply):

From: Mathieu Parent <sathieu@debian.org>
To: 909737-submitter@bugs.debian.org
Subject: Bug #909737 in php-horde-kronolith marked as pending
Date: Mon, 08 Oct 2018 07:52:43 +0000
Control: tag -1 pending

Hello,

Bug #909737 in php-horde-kronolith reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/horde-team/php-horde-kronolith/commit/c109086f86852292d7459d0dbbaf6afde705a301

------------------------------------------------------------------------
Add patches for CVE-2017-16906 (Closes: #909737) and CVE-2017-16908 (Closes: #909738)

------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/909737

Added tag(s) pending. Request was from Mathieu Parent <sathieu@debian.org> to 909737-submitter@bugs.debian.org. (Mon, 08 Oct 2018 07:57:13 GMT) (full text, mbox, link).

Reply sent to Mathieu Parent <sathieu@debian.org>:
You have taken responsibility. (Mon, 08 Oct 2018 08:48:03 GMT) (full text, mbox, link).

Notification sent to Markus Koschany <apo@debian.org>:
Bug acknowledged by developer. (Mon, 08 Oct 2018 08:48:03 GMT) (full text, mbox, link).

Message #23 received at 909737-close@bugs.debian.org (full text, mbox, reply):

From: Mathieu Parent <sathieu@debian.org>
To: 909737-close@bugs.debian.org
Subject: Bug#909737: fixed in php-horde-kronolith 4.2.24-1
Date: Mon, 08 Oct 2018 08:45:39 +0000
Source: php-horde-kronolith
Source-Version: 4.2.24-1

We believe that the bug you reported is fixed in the latest version of
php-horde-kronolith, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 909737@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mathieu Parent <sathieu@debian.org> (supplier of updated php-horde-kronolith package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 08 Oct 2018 09:51:44 +0200
Source: php-horde-kronolith
Binary: php-horde-kronolith
Architecture: source all
Version: 4.2.24-1
Distribution: unstable
Urgency: medium
Maintainer: Horde Maintainers <team+debian-horde-team@tracker.debian.org>
Changed-By: Mathieu Parent <sathieu@debian.org>
Description:
 php-horde-kronolith -
Closes: 909737 909738
Changes:
 php-horde-kronolith (4.2.24-1) unstable; urgency=medium
 .
   * New upstream version 4.2.24
   * CVE-2017-16906 XSS via URL field (Closes: #909737)
   * CVE-2017-16908 XSS via Name field (Closes: #909738)
Checksums-Sha1:
 851c7b44f005ecf4907273b5a5faa8be63cddf74 2175 php-horde-kronolith_4.2.24-1.dsc
 0ff53e58c4b9b519dcf672a6c2b0226712245d6f 2644494 php-horde-kronolith_4.2.24.orig.tar.gz
 eaf94c632dc1679f18a11dab3696cc947364aab4 4800 php-horde-kronolith_4.2.24-1.debian.tar.xz
 e4a3d4cd98323e4c46e2a2b93ae8cfe451fbdf9f 1394764 php-horde-kronolith_4.2.24-1_all.deb
 a5827569a9aacb4a562fa6b561700bb3c99d4c57 6234 php-horde-kronolith_4.2.24-1_amd64.buildinfo
Checksums-Sha256:
 275680fe9461c4d5a77475b3646c5c77e9e2d69169d552242df8b91e5f1954d5 2175 php-horde-kronolith_4.2.24-1.dsc
 adde767c5fa90a5cb3848188681dae11f64d7fc51a5698742942dbf699ed2507 2644494 php-horde-kronolith_4.2.24.orig.tar.gz
 17ae36bc6af4459ab554d640b9b2ba1169fc767c01b5d1fa29fa12b6e91dbf87 4800 php-horde-kronolith_4.2.24-1.debian.tar.xz
 5526c1f6003703267677aa71db08389a289f24b864fa05007662afde700925ad 1394764 php-horde-kronolith_4.2.24-1_all.deb
 5595d01d71658e0af648d4a79d311319d381f0bf7a7e8d6d42db24e895ebaa3a 6234 php-horde-kronolith_4.2.24-1_amd64.buildinfo
Files:
 9ecf98b7a507645bf584ad4687675f81 2175 php optional php-horde-kronolith_4.2.24-1.dsc
 816c12223eaf6618fff3534a59a9eace 2644494 php optional php-horde-kronolith_4.2.24.orig.tar.gz
 07ce38e710395764d75d3892472beadd 4800 php optional php-horde-kronolith_4.2.24-1.debian.tar.xz
 ada6de7001de666ebec9174531314eb6 1394764 php optional php-horde-kronolith_4.2.24-1_all.deb
 6148ade3dd6bb6ce86f64fb8cffc04a3 6234 php optional php-horde-kronolith_4.2.24-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEqIGbPTP9weQZ135HrgOYBGZoH6UFAlu7DtoTHHNhdGhpZXVA
ZGViaWFuLm9yZwAKCRCuA5gEZmgfpUZQEACQ8aO6OMAdqC4QP5TfRdQuA0DYHAGX
RR+V24ciYlFl3WAHRthqdU55rbRb1UXDukOi8d+SqckGNcnh45oslUbML4kA+FvV
QfsNKc8RsyFkr/+OoimcYo4ZMP+brnv70lbODbxvIKaJyUOM0LmkpAGp/NeRHuNO
wxPCYWkS4swjHJ2lZZ/3Xm0+t6t+0As4KV5dNyXlfkdh/qZS5kzGIGzyJXsuYwwn
j/hAMlfFIKh5kzRFFVGnwCgK8sOF2AJJHzQCRZXRqFApsysSxdy3G/vm3kMiw2hL
YP6KmxUL/j9Eb9sBsVtsQUg4HTEoJeb4VhfRM7UUBNeSe3TE4xq3JJrfjNdIllIC
5AkQ6+ds2wXg1FtYdvWgOxax6VS0nUP0DkoLobTpCEVcmBnugmpKqPMr0x1T84fh
kEVX2OsKQTeNBe5LqZkY0xXdtSUH48InaZwGUnVhs57h44VFjsG6ls2VS+BPxzWf
0UlHxJHfV215P409qVFWerxaWeJo5a8PbhBuKvZhu5IDQB3YxvcoO/z8MXZYFTYb
bNI/5WXKFN7ASLHmDSrk17WGAZeCucuVbdrHjnWy73ZQ+xj4xZGLLEgg+GcHinOc
O3CFEd2mb391IwvneOlmDg12VsRf70KtG7M+qwgxwArdzE4k5cW1b+n12dcIWp4v
nOEZTFYN+3baaA==
=ZoJ4
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:36:43 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started