Debian Bug report logs -
#909738
php-horde-kronolith: CVE-2017-16908 XSS via Name field
Reported by: Markus Koschany <apo@debian.org>
Date: Thu, 27 Sep 2018 13:21:02 UTC
Severity: grave
Tags: security, upstream
Found in versions php-horde-kronolith/4.2.19-1, php-horde-kronolith/4.2.23-3
Fixed in version php-horde-kronolith/4.2.24-1
Done: Mathieu Parent <sathieu@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Horde Maintainers <team+debian-horde-team@tracker.debian.org>
:
Bug#909738
; Package php-horde-kronolith
.
(Thu, 27 Sep 2018 13:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Horde Maintainers <team+debian-horde-team@tracker.debian.org>
.
(Thu, 27 Sep 2018 13:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: php-horde-kronolith
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for php-horde-kronolith.
CVE-2017-16908[0]:
| In Horde Groupware 5.2.19, there is XSS via the Name field during
| creation of a new Resource. This can be leveraged for remote code
| execution after compromising an administrator account, because the
| CVE-2015-7984 CSRF protection mechanism can then be bypassed.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-16908
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16908
Please adjust the affected versions in the BTS as needed.
Regards,
Markus
[signature.asc (application/pgp-signature, attachment)]
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 27 Sep 2018 18:33:03 GMT) (full text, mbox, link).
Marked as found in versions php-horde-kronolith/4.2.23-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 27 Sep 2018 18:33:04 GMT) (full text, mbox, link).
Marked as found in versions php-horde-kronolith/4.2.19-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 27 Sep 2018 18:33:04 GMT) (full text, mbox, link).
Message sent on
to Markus Koschany <apo@debian.org>
:
Bug#909738.
(Mon, 08 Oct 2018 07:57:15 GMT) (full text, mbox, link).
Message #14 received at 909738-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #909738 in php-horde-kronolith reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/horde-team/php-horde-kronolith/commit/c109086f86852292d7459d0dbbaf6afde705a301
------------------------------------------------------------------------
Add patches for CVE-2017-16906 (Closes: #909737) and CVE-2017-16908 (Closes: #909738)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/909738
Added tag(s) pending.
Request was from Mathieu Parent <sathieu@debian.org>
to 909738-submitter@bugs.debian.org
.
(Mon, 08 Oct 2018 07:57:15 GMT) (full text, mbox, link).
Reply sent
to Mathieu Parent <sathieu@debian.org>
:
You have taken responsibility.
(Mon, 08 Oct 2018 08:48:05 GMT) (full text, mbox, link).
Notification sent
to Markus Koschany <apo@debian.org>
:
Bug acknowledged by developer.
(Mon, 08 Oct 2018 08:48:05 GMT) (full text, mbox, link).
Message #21 received at 909738-close@bugs.debian.org (full text, mbox, reply):
Source: php-horde-kronolith
Source-Version: 4.2.24-1
We believe that the bug you reported is fixed in the latest version of
php-horde-kronolith, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 909738@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathieu Parent <sathieu@debian.org> (supplier of updated php-horde-kronolith package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 08 Oct 2018 09:51:44 +0200
Source: php-horde-kronolith
Binary: php-horde-kronolith
Architecture: source all
Version: 4.2.24-1
Distribution: unstable
Urgency: medium
Maintainer: Horde Maintainers <team+debian-horde-team@tracker.debian.org>
Changed-By: Mathieu Parent <sathieu@debian.org>
Description:
php-horde-kronolith -
Closes: 909737 909738
Changes:
php-horde-kronolith (4.2.24-1) unstable; urgency=medium
.
* New upstream version 4.2.24
* CVE-2017-16906 XSS via URL field (Closes: #909737)
* CVE-2017-16908 XSS via Name field (Closes: #909738)
Checksums-Sha1:
851c7b44f005ecf4907273b5a5faa8be63cddf74 2175 php-horde-kronolith_4.2.24-1.dsc
0ff53e58c4b9b519dcf672a6c2b0226712245d6f 2644494 php-horde-kronolith_4.2.24.orig.tar.gz
eaf94c632dc1679f18a11dab3696cc947364aab4 4800 php-horde-kronolith_4.2.24-1.debian.tar.xz
e4a3d4cd98323e4c46e2a2b93ae8cfe451fbdf9f 1394764 php-horde-kronolith_4.2.24-1_all.deb
a5827569a9aacb4a562fa6b561700bb3c99d4c57 6234 php-horde-kronolith_4.2.24-1_amd64.buildinfo
Checksums-Sha256:
275680fe9461c4d5a77475b3646c5c77e9e2d69169d552242df8b91e5f1954d5 2175 php-horde-kronolith_4.2.24-1.dsc
adde767c5fa90a5cb3848188681dae11f64d7fc51a5698742942dbf699ed2507 2644494 php-horde-kronolith_4.2.24.orig.tar.gz
17ae36bc6af4459ab554d640b9b2ba1169fc767c01b5d1fa29fa12b6e91dbf87 4800 php-horde-kronolith_4.2.24-1.debian.tar.xz
5526c1f6003703267677aa71db08389a289f24b864fa05007662afde700925ad 1394764 php-horde-kronolith_4.2.24-1_all.deb
5595d01d71658e0af648d4a79d311319d381f0bf7a7e8d6d42db24e895ebaa3a 6234 php-horde-kronolith_4.2.24-1_amd64.buildinfo
Files:
9ecf98b7a507645bf584ad4687675f81 2175 php optional php-horde-kronolith_4.2.24-1.dsc
816c12223eaf6618fff3534a59a9eace 2644494 php optional php-horde-kronolith_4.2.24.orig.tar.gz
07ce38e710395764d75d3892472beadd 4800 php optional php-horde-kronolith_4.2.24-1.debian.tar.xz
ada6de7001de666ebec9174531314eb6 1394764 php optional php-horde-kronolith_4.2.24-1_all.deb
6148ade3dd6bb6ce86f64fb8cffc04a3 6234 php optional php-horde-kronolith_4.2.24-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEqIGbPTP9weQZ135HrgOYBGZoH6UFAlu7DtoTHHNhdGhpZXVA
ZGViaWFuLm9yZwAKCRCuA5gEZmgfpUZQEACQ8aO6OMAdqC4QP5TfRdQuA0DYHAGX
RR+V24ciYlFl3WAHRthqdU55rbRb1UXDukOi8d+SqckGNcnh45oslUbML4kA+FvV
QfsNKc8RsyFkr/+OoimcYo4ZMP+brnv70lbODbxvIKaJyUOM0LmkpAGp/NeRHuNO
wxPCYWkS4swjHJ2lZZ/3Xm0+t6t+0As4KV5dNyXlfkdh/qZS5kzGIGzyJXsuYwwn
j/hAMlfFIKh5kzRFFVGnwCgK8sOF2AJJHzQCRZXRqFApsysSxdy3G/vm3kMiw2hL
YP6KmxUL/j9Eb9sBsVtsQUg4HTEoJeb4VhfRM7UUBNeSe3TE4xq3JJrfjNdIllIC
5AkQ6+ds2wXg1FtYdvWgOxax6VS0nUP0DkoLobTpCEVcmBnugmpKqPMr0x1T84fh
kEVX2OsKQTeNBe5LqZkY0xXdtSUH48InaZwGUnVhs57h44VFjsG6ls2VS+BPxzWf
0UlHxJHfV215P409qVFWerxaWeJo5a8PbhBuKvZhu5IDQB3YxvcoO/z8MXZYFTYb
bNI/5WXKFN7ASLHmDSrk17WGAZeCucuVbdrHjnWy73ZQ+xj4xZGLLEgg+GcHinOc
O3CFEd2mb391IwvneOlmDg12VsRf70KtG7M+qwgxwArdzE4k5cW1b+n12dcIWp4v
nOEZTFYN+3baaA==
=ZoJ4
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:00:14 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.