Debian Bug report logs -
#748828
collabtive: CVE-2014-3246 CVE-2014-3247
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 21 May 2014 05:21:02 UTC
Severity: grave
Tags: security, upstream
Fixed in version collabtive/1.2+dfsg-2
Done: Gunnar Wolf <gwolf@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Gunnar Wolf <gwolf@debian.org>:
Bug#748828; Package src:collabtive.
(Wed, 21 May 2014 05:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Gunnar Wolf <gwolf@debian.org>.
(Wed, 21 May 2014 05:21:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: collabtive
Severity: grave
Tags: security upstream
Hi,
the following vulnerabilities were published for collabtive.
CVE-2014-3246[0]:
| SQL injection vulnerability in Collabtive 1.2 allows remote
| authenticated users to execute arbitrary SQL commands via the folder
| parameter in a fileview_list action to manageajax.php.
CVE-2014-3247[1]:
| Cross-site scripting (XSS) vulnerability in Collabtive 1.2 allows
| remote authenticated users to inject arbitrary web script or HTML via
| the desc parameter in an Add project (addpro) action to admin.php.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3246
https://security-tracker.debian.org/tracker/CVE-2014-3246
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3247
https://security-tracker.debian.org/tracker/CVE-2014-3247
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Gunnar Wolf <gwolf@debian.org>:
Bug#748828; Package src:collabtive.
(Fri, 23 May 2014 20:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Gunnar Wolf <gwolf@gwolf.org>:
Extra info received and forwarded to list. Copy sent to Gunnar Wolf <gwolf@debian.org>.
(Fri, 23 May 2014 20:06:04 GMT) (full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
Salvatore Bonaccorso dijo [Wed, May 21, 2014 at 07:18:46AM +0200]:
> the following vulnerabilities were published for collabtive.
>
> CVE-2014-3246[0]:
> | SQL injection vulnerability in Collabtive 1.2 allows remote
> | authenticated users to execute arbitrary SQL commands via the folder
> | parameter in a fileview_list action to manageajax.php.
>
> CVE-2014-3247[1]:
> | Cross-site scripting (XSS) vulnerability in Collabtive 1.2 allows
> | remote authenticated users to inject arbitrary web script or HTML via
> | the desc parameter in an Add project (addpro) action to admin.php.
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
Hi Salvatore,
Thanks a lot for the heads-up! I have uploaded a new release fixing
CVE-2014-3246; I have not been able to look into CVE-2014-3247; any
help will be most appreciated!
Information forwarded
to debian-bugs-dist@lists.debian.org, Gunnar Wolf <gwolf@debian.org>:
Bug#748828; Package src:collabtive.
(Fri, 23 May 2014 20:06:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Gunnar Wolf <gwolf@gwolf.org>:
Extra info received and forwarded to list. Copy sent to Gunnar Wolf <gwolf@debian.org>.
(Fri, 23 May 2014 20:06:08 GMT) (full text, mbox, link).
Reply sent
to Gunnar Wolf <gwolf@debian.org>:
You have taken responsibility.
(Fri, 23 May 2014 21:27:39 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 23 May 2014 21:27:39 GMT) (full text, mbox, link).
Message #20 received at 748828-close@bugs.debian.org (full text, mbox, reply):
Source: collabtive
Source-Version: 1.2+dfsg-2
We believe that the bug you reported is fixed in the latest version of
collabtive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 748828@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gunnar Wolf <gwolf@debian.org> (supplier of updated collabtive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 23 May 2014 11:27:55 -0500
Source: collabtive
Binary: collabtive
Architecture: source all
Version: 1.2+dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Gunnar Wolf <gwolf@debian.org>
Changed-By: Gunnar Wolf <gwolf@debian.org>
Description:
collabtive - Web-based project management software
Closes: 748828
Changes:
collabtive (1.2+dfsg-2) unstable; urgency=high
.
* Reliability patch: Check queries return objects before iterating
over them, avoiding PHP errors (and ugly blank screens)
* Fix a SQL injection vulnerability in project.datei.php (ref: CVE-
2014-3246) (Closes: #748828)
Checksums-Sha1:
a4bc3043a95045027579690ce5db28d814f2816a 1764 collabtive_1.2+dfsg-2.dsc
e96a07790c3e57711d496cb3e9c1cc30276fb66c 42644 collabtive_1.2+dfsg-2.debian.tar.xz
7162f831895cd2f4d8ab60447257245e0b81b3d6 2528946 collabtive_1.2+dfsg-2_all.deb
Checksums-Sha256:
2bb505a47f9d997e7b5288cd43b0273cb14a149e7a727be9f530546fbc228d63 1764 collabtive_1.2+dfsg-2.dsc
a132113a9c86d3824b2bc75d85a791e19d30901b3053a5a701c4cdbb8e6b2e80 42644 collabtive_1.2+dfsg-2.debian.tar.xz
9ebd8f43d85154938be02a2fd90ee1784d122073673933a1d27751c1da9a64cb 2528946 collabtive_1.2+dfsg-2_all.deb
Files:
5199282313e8f21ffeca280f8f2e75ad 2528946 web optional collabtive_1.2+dfsg-2_all.deb
03ed8f3ac5b16ea6e673066678099527 1764 web optional collabtive_1.2+dfsg-2.dsc
666c480d5ed74ba4a1523d15d5ce69c2 42644 web optional collabtive_1.2+dfsg-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJTf6j8AAoJEGc6A+TB25IfN7UQAIBOFuae4DIknK0ph4f9sOYZ
G2RzWFd3irbjqTpU7XgAnCbP/k9GRUP+q2C1wtTXf6lCgfm57bUfHaQ6LXWAyuyW
F2WE7qGexOXWG/GmAmkEkWNnTkZiEtLisw25gBure0fUclUUJWAerzxd69cnyduO
FTUdHQFILRaKNVrYmIXTj7bbRNViT0sgzhWxehGyYluzzqTjGVeo3zlVs5gc4wnn
366KU0onUSbeiYDcKslKyDEfxav7G477uJoe01dVSi4GHdFDljwEimhJv1PXRWIL
oI/Yt7+L9hiPB8AVHR5mCnzb1gZmJIRNip3o/nzbT0yQxbZ1SpiTPUwLtQikjS3w
8pejQuC3ThSiE8NMYBC9L1TNuUoYcLDrEeqoaZANCEwkg8e36uyTrLXuwpS+77iJ
hzkEBiWjh45EoJjL8XyOhoj6Re1pCzf6FOYbC6KfqF4Gj8cCqX5qVo4qhyT96LP+
o9faVGwqZfLjx2jcAyo8+iAlPWIg2oZuGocDteMibw/upkbR4u/ZIZtvGa3K5vMa
WxJV/GRN0RTy6WOH8glSqA8XTKvQxeN5sUXW7TUcpU07deI86QwFsBv+33oEzT1v
btezLo8yaDixeTLaOuyXcB3wQBONg/9540Fk2q2Bv5NsiHIG8U4J+UHf1ZSMSFfC
bag1p63huCJmz/MANVmS
=KrGR
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 May 2015 07:41:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:04:10 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon