Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

php-horde: CVE-2016-2228: Reflected cross-site scripting in menu bar

Related Vulnerabilities: CVE-2016-2228   CVE-2015-8543  

Source

Debian Bug report logs - #813573
php-horde: CVE-2016-2228: Reflected cross-site scripting in menu bar

version graph

Package: php-horde; Maintainer for php-horde is Horde Maintainers <team+debian-horde-team@tracker.debian.org>; Source for php-horde is src:php-horde (PTS, buildd, popcon).

Reported by: Mathieu Parent <math.parent@gmail.com>

Date: Wed, 3 Feb 2016 08:36:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version php-horde/5.2.8+debian0-1

Fixed in versions php-horde/5.2.9+debian0-1, php-horde/5.2.1+debian0-2+deb8u3

Done: Mathieu Parent <sathieu@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugs.horde.org/ticket/14213

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#813573; Package php-horde. (Wed, 03 Feb 2016 08:36:06 GMT) (full text, mbox, link).

Acknowledgement sent to Mathieu Parent <math.parent@gmail.com>:
New Bug report received and forwarded. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Wed, 03 Feb 2016 08:36:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Mathieu Parent <math.parent@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [php-horde] XSS vulnerability in menu bar
Date: Wed, 3 Feb 2016 09:34:09 +0100
Package: php-horde
Version: 5.2.8+debian0-1

Hello,

According to: http://lists.horde.org/archives/announce/2016/001140.html

Regards
-- 
Mathieu Parent

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#813573; Package php-horde. (Wed, 03 Feb 2016 12:42:08 GMT) (full text, mbox, link).

Acknowledgement sent to Mathieu Parent <math.parent@gmail.com>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Wed, 03 Feb 2016 12:42:08 GMT) (full text, mbox, link).

Message #10 received at 813573@bugs.debian.org (full text, mbox, reply):

From: Mathieu Parent <math.parent@gmail.com>
To: 813573@bugs.debian.org
Subject: Re: [pkg-horde] Bug#813573: [php-horde] XSS vulnerability in menu bar
Date: Wed, 3 Feb 2016 13:38:56 +0100
Control: tag -1 + security upstream fixed-upstream pending
Control: severity -1 grave
Control: forwarded -1 https://bugs.horde.org/ticket/14213

This is a security bug probably affecting jessie. I need to patch this
branch too.

Remark: No CVE, as usual with horde.

-- 
Mathieu Parent

Added tag(s) security, fixed-upstream, upstream, and pending. Request was from Mathieu Parent <math.parent@gmail.com> to 813573-submit@bugs.debian.org. (Wed, 03 Feb 2016 12:42:08 GMT) (full text, mbox, link).

Severity set to 'grave' from 'normal' Request was from Mathieu Parent <math.parent@gmail.com> to 813573-submit@bugs.debian.org. (Wed, 03 Feb 2016 12:42:09 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://bugs.horde.org/ticket/14213'. Request was from Mathieu Parent <math.parent@gmail.com> to 813573-submit@bugs.debian.org. (Wed, 03 Feb 2016 12:42:10 GMT) (full text, mbox, link).

Reply sent to Mathieu Parent <sathieu@debian.org>:
You have taken responsibility. (Thu, 04 Feb 2016 07:24:04 GMT) (full text, mbox, link).

Notification sent to Mathieu Parent <math.parent@gmail.com>:
Bug acknowledged by developer. (Thu, 04 Feb 2016 07:24:04 GMT) (full text, mbox, link).

Message #21 received at 813573-close@bugs.debian.org (full text, mbox, reply):

From: Mathieu Parent <sathieu@debian.org>
To: 813573-close@bugs.debian.org
Subject: Bug#813573: fixed in php-horde 5.2.9+debian0-1
Date: Thu, 04 Feb 2016 07:21:36 +0000
Source: php-horde
Source-Version: 5.2.9+debian0-1

We believe that the bug you reported is fixed in the latest version of
php-horde, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 813573@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mathieu Parent <sathieu@debian.org> (supplier of updated php-horde package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 03 Feb 2016 23:40:14 +0100
Source: php-horde
Binary: php-horde
Architecture: source all
Version: 5.2.9+debian0-1
Distribution: unstable
Urgency: medium
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Mathieu Parent <sathieu@debian.org>
Description:
 php-horde  - ${phppear:summary}
Closes: 813573
Changes:
 php-horde (5.2.9+debian0-1) unstable; urgency=medium
 .
   * New upstream version 5.2.9+debian0
     - Fixes XSS vulnerability in menu bar (Closes: #813573)
   * Update patch
Checksums-Sha1:
 899bfbce9984b27a758f7d9669cadb171224703c 2005 php-horde_5.2.9+debian0-1.dsc
 b46542b6d7a1013f25aac481de2824a943d69f29 2927951 php-horde_5.2.9+debian0.orig.tar.gz
 64456bb5b203cefeac5a348e6779a8e47a6d142b 7612 php-horde_5.2.9+debian0-1.debian.tar.xz
 2ffdf34348b859cd46429fcafd2839f71f299914 1746568 php-horde_5.2.9+debian0-1_all.deb
Checksums-Sha256:
 3bae0d495edf9416117ff2a8615fc68fa0db63a2ebb10519a352a5aa49c18913 2005 php-horde_5.2.9+debian0-1.dsc
 6dc07a47912b14adef5eb019d4defe23255091cd99e2385e2b9a300f1f459761 2927951 php-horde_5.2.9+debian0.orig.tar.gz
 c2a9e0eba3346fbb589a722e59b3d2c358d69b5307c5e41e50d6b8250610d47e 7612 php-horde_5.2.9+debian0-1.debian.tar.xz
 8af2834d94136d12836b0249f80ae97d20d208f060da8f618d1d550aca9318b0 1746568 php-horde_5.2.9+debian0-1_all.deb
Files:
 eb8bc6049e60a1d2a4f45bb9a2e191f1 2005 php extra php-horde_5.2.9+debian0-1.dsc
 20f926160a2596c8180e8aa09e27f27a 2927951 php extra php-horde_5.2.9+debian0.orig.tar.gz
 4c8885f612bc6f913a7fdebd7850106d 7612 php extra php-horde_5.2.9+debian0-1.debian.tar.xz
 b63cbdb973919b95e57b9c93212a0c89 1746568 php extra php-horde_5.2.9+debian0-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWsvcTAAoJEK4DmARmaB+lPDwQALhK/bQ9o7y7o5MDFggOi/g8
v32btVfARQK71rahDfUaXqVBsxN5As8JvLdOoSerRJZ8+teC1fBLLIluM7axqxmj
mVlAFD/o/I9PWoi+sLtokjFkuvcYLl083W2AwzQoosqY67ApVWkdhsNpos1d/MHD
+RLgiYZ53/PASW2te55OeNO3T8MtwoaGbWILGtvw8Zs6lsENxgNm9kBJX09PkNju
kiKkHD/aPJEwnkYm22XwcA3/70/gwzXjcJ4lDQhgROj30tLt+KFWyM3zyIDfp58h
DAWuucVpqbva22D1tS9WD7VLvz/0+89Z7PozJIrKA69460gpGWWdX9YQhLajetgh
VV2QFR7YnrU4x0WGyRghNFY6C3O18oq9cjytX261m5LFMXM1/qoZL3cuu0pPDqsG
uceGE3D1mONSW6rVXI9BpR8sqFAj4I//+PcvDHid9vBYHslfydStqEvZDXbuivnX
Obh+ete5jb4ciBI1JDEAzLupISzUc0EaxxpRyS6y5lT32tQ7mFQTB3N7mzQtRyij
7ZRxx8IaTvYcQeTGmx7Ln5i1da6HDYpkHVpS/d7Gf+vshYDzNrxfMdE2sOtfPNhP
qu+Y14GhpT7rz1/U/pejBVLId8PUqzOy3IJYJHRXtSY/MOfsarhJSMRgB4uVowAH
POmFJAiqLB3ySytvXheh
=SqGP
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#813573; Package php-horde. (Thu, 04 Feb 2016 13:27:09 GMT) (full text, mbox, link).

Acknowledgement sent to Mathieu Parent <math.parent@gmail.com>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Thu, 04 Feb 2016 13:27:09 GMT) (full text, mbox, link).

Message #26 received at 813573@bugs.debian.org (full text, mbox, reply):

From: Mathieu Parent <math.parent@gmail.com>
To: 813573@bugs.debian.org
Subject: Jessie patch
Date: Thu, 4 Feb 2016 14:22:39 +0100
[Message part 1 (text/plain, inline)]
Here is the jessie debdiff.

-- 
Mathieu

[0001-Fix-XSS-vulnerability-in-menu-bar-Closes-813573.patch (text/x-diff, attachment)]

Changed Bug title to 'php-horde: CVE-2016-2228: Reflected cross-site scripting in menu bar' from '[php-horde] XSS vulnerability in menu bar' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 07 Feb 2016 05:33:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#813573; Package php-horde. (Wed, 24 Feb 2016 21:42:06 GMT) (full text, mbox, link).

Acknowledgement sent to Mathieu Parent <math.parent@gmail.com>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Wed, 24 Feb 2016 21:42:06 GMT) (full text, mbox, link).

Message #33 received at 813573@bugs.debian.org (full text, mbox, reply):

From: Mathieu Parent <math.parent@gmail.com>
To: 813573@bugs.debian.org, 813590@bugs.debian.org, 813406@bugs.debian.org
Subject: WIP (was: Fwd: Proposed changes to jessie)
Date: Wed, 24 Feb 2016 22:40:21 +0100
Hello,

I've proposed the changes to -security, without response yet.

See below.

---------- Forwarded message ----------
From: Mathieu Parent <math.parent@gmail.com>
Date: 2016-02-24 22:24 GMT+01:00
Subject: Re: Proposed changes to jessie
To: team@security.debian.org


2016-02-04 15:04 GMT+01:00 Mathieu Parent <math.parent@gmail.com>:
> Hello,

Pinging again.

> I have prepared security fixes for two Horde packages:
> - php-horde: https://bugs.debian.org/813573#26 XSS vulnerability in menu bar
Debdiff at: http://anonscm.debian.org/cgit/pkg-horde/PEAR/php-horde.git/diff/?id2=47c6d6e6ad0836d657eee75e36ef8dbd19c843d2&id=112b45b0403df87828e6cd620eb0e3d4fc3c7fa9

> - php-horde-core: https://bugs.debian.org/813590#23 XSS in
> Horde_Core_VarRenderer_Html
Debdiff at: http://anonscm.debian.org/cgit/pkg-horde/PEAR/php-horde-core.git/diff/?id2=d79e0d5424ba76351cde56701e061f91d241ec09&id=a98c8cb02edaaa0378771a7f21855aaafc883785

>
> Can I upload the two packages (this is already fixed in sid)?

Waiting for your answer.

> I have also prepared a ctdb regression update, which fix CTDB behavior
> under Linux after the fix for CVE-2015-8543:
> - https://bugs.debian.org/813406#25 ctdb, raw sockets and CVE-2015-8543

See http://anonscm.debian.org/cgit/pkg-samba/ctdb.git/commit/?h=debian-jessie&id=ec4e506686578cdf13b36ce18ec98cc5307b4e64

> Can I upload it?

Same.

> Can I make the same to wheezy once jessie is uploaded?

Same.

I think keeping those issues in place is not good.

Regards
--
Mathieu Parent

Reply sent to Mathieu Parent <sathieu@debian.org>:
You have taken responsibility. (Sat, 05 Mar 2016 22:36:05 GMT) (full text, mbox, link).

Notification sent to Mathieu Parent <math.parent@gmail.com>:
Bug acknowledged by developer. (Sat, 05 Mar 2016 22:36:05 GMT) (full text, mbox, link).

Message #38 received at 813573-close@bugs.debian.org (full text, mbox, reply):

From: Mathieu Parent <sathieu@debian.org>
To: 813573-close@bugs.debian.org
Subject: Bug#813573: fixed in php-horde 5.2.1+debian0-2+deb8u3
Date: Sat, 05 Mar 2016 22:33:57 +0000
Source: php-horde
Source-Version: 5.2.1+debian0-2+deb8u3

We believe that the bug you reported is fixed in the latest version of
php-horde, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 813573@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mathieu Parent <sathieu@debian.org> (supplier of updated php-horde package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 24 Feb 2016 21:58:04 +0100
Source: php-horde
Binary: php-horde
Architecture: source all
Version: 5.2.1+debian0-2+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Mathieu Parent <sathieu@debian.org>
Description:
 php-horde  - ${phppear:summary}
Closes: 813573
Changes:
 php-horde (5.2.1+debian0-2+deb8u3) jessie-security; urgency=high
 .
   * Fix CVE-2016-2228: XSS vulnerability in menu bar (Closes: #813573)
Checksums-Sha1:
 9da5229b86cbec9e8323485a9285c81ff34ecefb 2040 php-horde_5.2.1+debian0-2+deb8u3.dsc
 dcf06051b9e1f479e49b57cc3ad0d2e254cafdff 13496 php-horde_5.2.1+debian0-2+deb8u3.debian.tar.xz
 849f947bb2956eea348187fedd0db6d48d4407f0 1681782 php-horde_5.2.1+debian0-2+deb8u3_all.deb
Checksums-Sha256:
 d63d827e0d84c501f2488f3c17aee9014805cc95ca60160edd6df7cd0b71a06f 2040 php-horde_5.2.1+debian0-2+deb8u3.dsc
 2f2f9428933f63f0bc1cb12e762114ac19fb6b6088e56819bddaa237bb8cbf23 13496 php-horde_5.2.1+debian0-2+deb8u3.debian.tar.xz
 32575ba391a6ae793a869ebac265c4bb8ba7798ba5129c67fee328379b93c642 1681782 php-horde_5.2.1+debian0-2+deb8u3_all.deb
Files:
 2318c3689f24b7cad94dc7f255e0cb71 2040 php extra php-horde_5.2.1+debian0-2+deb8u3.dsc
 38e6030c0f03097bfd887db2efa91b99 13496 php extra php-horde_5.2.1+debian0-2+deb8u3.debian.tar.xz
 f3039dc0e21d53694d986b61a0b60056 1681782 php extra php-horde_5.2.1+debian0-2+deb8u3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW0HdYAAoJEK4DmARmaB+lczEP/2Mq8Uf7yQRbozdSdBl6yDss
49GSbAQmOE8dheqxnyXrAbJUB6lWvhMs6WPxkXXdOLzJtHz7MFW2X/7qxMZD5Tb+
zTcgeHDGN5KuNbeqGh4cE8Hd4uEqRIVZDuzElMei7lAgj10qh/oteGZJlR0xCFaf
VuzH3eban4hPLundFBDxT9XrIOavXeYmu6y+cyVg9hcCFvpGIC40mF4jtRMOoTiN
FdL4DuTyAH1RleH91cKVSE7XYcGzKR0T+3fiMExH3GkCH5OuEXlNJw+BbD7GrHLS
iJUKf+mYogVEBQhGB40yZCoD/VgZHl3rr4YxxVkmHBFKPo9s3cfrJa8UDjoZmLz6
eZBBn2/Q6/bMKi8OJL3f6WHIS4hw//FKFAcbOs+z1w+gdRxNDTswoLj+e3+VWeQL
STZgBvAan2p9pmFzPQ2P6kAZZcK2ebJzjb2bfax3fPdKbj01g60sXRcDdfr4II1d
gFnPRpumWj0FhW6EI2e1lE1tZDpz0nXSqS6nHXDu0bng4S2jTKO7dFmT6Ml31n5a
Q6Yguxy+r/bgi5kYaXYS+xjWKpZf5P9Nj6Jdo6t6sI2+vt3Q91OZYnqZy9157+E2
OwAZNKFaOGg6LxIb6FBa8ngZ6W14MFiVhcfhwx2KN+gWLGTPwacuNQWvsHBaTexR
p9mHA2S79Vih0+5FfFE9
=MYEP
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 03 Apr 2016 07:39:09 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:54:33 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started