Debian Bug report logs -
#909739
php-horde: CVE-2017-16907 XSS via Color field
Reported by: Markus Koschany <apo@debian.org>
Date: Thu, 27 Sep 2018 13:27:01 UTC
Severity: grave
Tags: security, upstream
Found in versions php-horde/5.2.13+debian0-1, php-horde/5.2.17+debian0-3, php-horde/5.2.1+debian0-2+deb8u3
Fixed in version php-horde/5.2.18+debian0-1
Done: Mathieu Parent <sathieu@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Horde Maintainers <team+debian-horde-team@tracker.debian.org>:
Bug#909739; Package php-horde.
(Thu, 27 Sep 2018 13:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Horde Maintainers <team+debian-horde-team@tracker.debian.org>.
(Thu, 27 Sep 2018 13:27:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: php-horde
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for php-horde.
CVE-2017-16907[0]:
| In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field
| in a Create Task List action.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-16907
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16907
Please adjust the affected versions in the BTS as needed.
Regards,
Markus
[signature.asc (application/pgp-signature, attachment)]
Marked as found in versions php-horde/5.2.1+debian0-2+deb8u3.
Request was from Markus Koschany <apo@debian.org>
to control@bugs.debian.org.
(Thu, 27 Sep 2018 13:33:02 GMT) (full text, mbox, link).
Marked as found in versions php-horde/5.2.17+debian0-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 27 Sep 2018 14:33:05 GMT) (full text, mbox, link).
Marked as found in versions php-horde/5.2.13+debian0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 27 Sep 2018 14:33:07 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 27 Sep 2018 14:33:07 GMT) (full text, mbox, link).
Bug 909739 cloned as bug 909800
Request was from Markus Koschany <apo@debian.org>
to control@bugs.debian.org.
(Fri, 28 Sep 2018 17:51:05 GMT) (full text, mbox, link).
Message sent on
to Markus Koschany <apo@debian.org>:
Bug#909739.
(Sun, 07 Oct 2018 20:57:06 GMT) (full text, mbox, link).
Message #18 received at 909739-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #909739 in php-horde reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/horde-team/php-horde/commit/16addfa64ac133f9fd1adca2ededf54031167ba2
------------------------------------------------------------------------
Fix CVE-2017-16907 XSS via Color field (Closes: #909739)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/909739
Added tag(s) pending.
Request was from Mathieu Parent <sathieu@debian.org>
to 909739-submitter@bugs.debian.org.
(Sun, 07 Oct 2018 20:57:06 GMT) (full text, mbox, link).
Reply sent
to Mathieu Parent <sathieu@debian.org>:
You have taken responsibility.
(Sun, 07 Oct 2018 21:21:15 GMT) (full text, mbox, link).
Notification sent
to Markus Koschany <apo@debian.org>:
Bug acknowledged by developer.
(Sun, 07 Oct 2018 21:21:15 GMT) (full text, mbox, link).
Message #25 received at 909739-close@bugs.debian.org (full text, mbox, reply):
Source: php-horde
Source-Version: 5.2.18+debian0-1
We believe that the bug you reported is fixed in the latest version of
php-horde, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 909739@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathieu Parent <sathieu@debian.org> (supplier of updated php-horde package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 07 Oct 2018 22:55:19 +0200
Source: php-horde
Binary: php-horde
Architecture: source all
Version: 5.2.18+debian0-1
Distribution: unstable
Urgency: medium
Maintainer: Horde Maintainers <team+debian-horde-team@tracker.debian.org>
Changed-By: Mathieu Parent <sathieu@debian.org>
Description:
php-horde -
Closes: 909739
Changes:
php-horde (5.2.18+debian0-1) unstable; urgency=medium
.
* New upstream version 5.2.18+debian0
- Update patch
* Fix CVE-2017-16907 XSS via Color field (Closes: #909739)
Checksums-Sha1:
d7d2de152544a7f4e9b76c99ee5b1e2b1e145250 2041 php-horde_5.2.18+debian0-1.dsc
18784a0ef9064c2d78e44abf533c49a075307e51 3007484 php-horde_5.2.18+debian0.orig.tar.gz
528469d6fefe20e74fa873d273739c75b1e95c49 8560 php-horde_5.2.18+debian0-1.debian.tar.xz
3b51cba2eb63d2882b56264791145ba018d73417 1876896 php-horde_5.2.18+debian0-1_all.deb
14150071c97d114cab325e410111525567bb175f 6208 php-horde_5.2.18+debian0-1_amd64.buildinfo
Checksums-Sha256:
16aa8c209bb26c2d995ce187597870df0a30a79a42bc44828927fa5ed78a9820 2041 php-horde_5.2.18+debian0-1.dsc
5e0c3d5d22bf658a8ca546de0d96dca58bd17388240752133605a35869df0e51 3007484 php-horde_5.2.18+debian0.orig.tar.gz
7f910e170fca47f3c7eba50ee26f2c1a26a6e66a8d364ed294a5f53c3820acd1 8560 php-horde_5.2.18+debian0-1.debian.tar.xz
39b12231d0842b82df8b00b58b4cf941bdfd78fc4b37ae01d7bfacd7a3e1ab56 1876896 php-horde_5.2.18+debian0-1_all.deb
213678052fc81dca073aa12cdd05d27eb5b1ac0dac7e91997718c2fc84e97506 6208 php-horde_5.2.18+debian0-1_amd64.buildinfo
Files:
d6f189cbf5d655239eaa51afd2b8917c 2041 php optional php-horde_5.2.18+debian0-1.dsc
2b069d4023c41319a2cd87232728ab53 3007484 php optional php-horde_5.2.18+debian0.orig.tar.gz
a825bef5b2ad040306871801e8510723 8560 php optional php-horde_5.2.18+debian0-1.debian.tar.xz
97abb5683f9e9d3fea8300a85695f3a0 1876896 php optional php-horde_5.2.18+debian0-1_all.deb
7791f73715abf715f0ea26a4ad550ae3 6208 php optional php-horde_5.2.18+debian0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEqIGbPTP9weQZ135HrgOYBGZoH6UFAlu6dUcTHHNhdGhpZXVA
ZGViaWFuLm9yZwAKCRCuA5gEZmgfpWTED/9yBaj23RWuDqUTkiF4/Stt14oGtJsh
Wh4Ciwkde3kbslAuqwmDOBTi+8RQuUqt30qj/6bNZFF5PtxP78Y5L38w12HhaMzJ
nbHJ0H8E7mZVdXP8UXYan7cSj5PElewC5HoGcyHqgVbTy5g8KJKC0RYofxDDjNHY
90gjxoAwnqLNwW65b05p/FGqgzQyBpPG//hB+tpFGkGoet5ieALGKSdL6FNZUGoG
r6UKLuKVNX+IFWaUe2nEAIDx91dHA9TLgYB2rzbP2agJNplriR9wbtWAj8JSF1AC
yVq6Giv/DtkUvx/cmBup3xeJOWIbZ1fStn48k5YNrHwPtSQ5KrsDgtRchUcUqjYe
vuoAmtAg1OrN9LMg0zS+CHpps/3cV3m1Z386A4r2NCPUnAcY4XKPkHbHg2BQzaHe
+bz7i8mthWmBA7irIRPupgkrPeZVZNs+Vr3AzRSfvQP83hxdANexN/5xVJ3dMtL0
nuKH8tSh/Bf6g5lPdaml5xyan1SIxG22yuAsegYLW6hnm0gg2MhQeyiSnrRaEPFu
te4yYYaVUF/AmRNwyTQG5pIKog8MaLqBsF16mfENdvf/sCP/7aRVa8FWCTyHH67X
34vokYHp9F97eOE8YjIh+SThDKphgaZFe7RotfJDJTs5udX9gCnl7odxMr2c0oWR
7GdZCLQ38l9stw==
=20LD
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:54:36 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon