Your message dated Sat, 11 Jul 2009 06:32:05 +0000
with message-id <e1mpw7x-0006op...@ries.debian.org>
and subject line Bug#536554: fixed in sork-passwd-h3 3.1-1.1
has caused the Debian Bug report #536554,
regarding CVE-2009-2360: Cross-site scripting vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
536554: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536554
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: sork-passwd-h3
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for sork-passwd-h3.
CVE-2009-2360[0]:
| Cross-site scripting (XSS) vulnerability in passwd/main.php in the
| Passwd module before 3.1.1 for Horde allows remote attackers to inject
| arbitrary web script or HTML via the backend parameter.
The upstream patch can be found here[1].
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2360
http://security-tracker.debian.net/tracker/CVE-2009-2360
[1] http://bugs.horde.org/ticket/8398
--- End Message ---
--- Begin Message ---
Source: sork-passwd-h3
Source-Version: 3.1-1.1
We believe that the bug you reported is fixed in the latest version of
sork-passwd-h3, which is due to be installed in the Debian FTP archive:
sork-passwd-h3_3.1-1.1.diff.gz
to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.1-1.1.diff.gz
sork-passwd-h3_3.1-1.1.dsc
to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.1-1.1.dsc
sork-passwd-h3_3.1-1.1_all.deb
to pool/main/s/sork-passwd-h3/sork-passwd-h3_3.1-1.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 536...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <wh...@debian.org> (supplier of updated sork-passwd-h3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 11 Jul 2009 06:02:56 +0000
Source: sork-passwd-h3
Binary: sork-passwd-h3
Architecture: source all
Version: 3.1-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian Horde Maintainers <pkg-horde-hack...@lists.alioth.debian.org>
Changed-By: Steffen Joeris <wh...@debian.org>
Description:
sork-passwd-h3 - Horde3 module for users to change their password
Closes: 536554
Changes:
sork-passwd-h3 (3.1-1.1) unstable; urgency=high
.
* Non-maintainer upload by the security team
* Fix XSS via the backend parameter (Closes: #536554)
Fixes: CVE-2009-2360
Checksums-Sha1:
46325f67f6816128ef56cc80a806d2b3ef4c29ee 1314 sork-passwd-h3_3.1-1.1.dsc
9394c534063d5f3d23293f85f59e443e31095f03 8968 sork-passwd-h3_3.1-1.1.diff.gz
f4e0e9f5b1f4293a2c57b693ffc68d996a8cd254 1424154 sork-passwd-h3_3.1-1.1_all.deb
Checksums-Sha256:
9776761da54a7c5604a7624c7ddb9c29df2ab2c6e3cc9bf6b673bb81f9d3e9a7 1314
sork-passwd-h3_3.1-1.1.dsc
e838762e350a76780fb8efa48897e6fb10ae4b55613b2b3d80ed9304e6bb7532 8968
sork-passwd-h3_3.1-1.1.diff.gz
27b6ed55e5cd7794812f0e33b92dca2145b966f38656bac759737cd397b88e1d 1424154
sork-passwd-h3_3.1-1.1_all.deb
Files:
6c420a0cd82ff2d3dfc6a0842bac394d 1314 web optional sork-passwd-h3_3.1-1.1.dsc
09585405aba4d60706c85e355dc3a6f0 8968 web optional
sork-passwd-h3_3.1-1.1.diff.gz
d0e9551225d11475c61ec8c62dcb5ea3 1424154 web optional
sork-passwd-h3_3.1-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpYL3sACgkQ62zWxYk/rQfEXgCcC4dP5Gkr7MG2anAmGjRI04Ie
oBsAn04n/l/bQLWICUejm7q/3KfAh5KD
=iGkc
-----END PGP SIGNATURE-----
--- End Message ---
