Your message dated Sat, 08 Feb 2014 12:17:30 +0000
with message-id <e1wc6qg-0008hg...@franck.debian.org>
and subject line Bug#737149: fixed in horde3 3.3.8+debian0-3
has caused the Debian Bug report #737149,
regarding CVE-2014-1691: Remote code execution in horde < 5.1.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
737149: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737149
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: horde3
Version: 3.3.8+debian0-2
Severity: serious
Tags: security
Justification: security issue
Hello,
As detailed on the debian security tracker[0] and reported on oss-sec[1] and
assigned CVE 2014-1691, there is a remote code execution bug in horde affecting
all versions from at least horde 3.1.x to 5.1.1.
That includes squeeze... I've got a patch that applies to the horde3 package in
squeeze that resolves this issue, please find it attached[2]... I've built and
tested these packages on Squeeze in an active environment. I am not certain
where this particular code is used, so I wasn't sure if I was able to test
exactly that code path.
If you would like, I can provide a package for squeeze for a DSA.
Micah
0. https://security-tracker.debian.org/tracker/CVE-2014-1691
1. http://seclists.org/oss-sec/2014/q1/153
2.
https://gist.github.com/pietro/8712454/raw/b03bc5ecb7ec1f1f778b867ecd6d9d142d0ddaf7/gistfile1.diff
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages horde3 depends on:
ii apache2 2.4.7-1
ii apache2-bin [httpd] 2.4.7-1
ii libapache2-mod-php5 5.5.8+dfsg-3
ii libjs-scriptaculous 1.9.0-2
ii php-log 1.12.7-1
ii php-mail 1.2.0-5
ii php-mail-mime 1.8.8-1
ii php5-gd 5.5.8+dfsg-3
ii php5-mcrypt 5.5.8+dfsg-3
Versions of packages horde3 recommends:
pn fckeditor <none>
ii locales 2.17-97
ii logrotate 3.8.7-1
pn php-date <none>
ii php-db 1.7.14-2
pn php-file <none>
ii php-mdb2 2.5.0b5-1
pn php-mdb2-driver-mysql | php-mdb2-driver-pgsql | php-mdb2-driv <none>
pn php-services-weather <none>
ii php5-cli 5.5.8+dfsg-3
pn php5-mysql | php5-pgsql | php5-ldap <none>
pn tinymce2 | tinymce <none>
Versions of packages horde3 suggests:
pn chora2 <none>
pn enscript <none>
ii gettext 0.18.3.2-1
pn gollem <none>
pn imp4 <none>
pn kronolith2 <none>
ii libgeoip1 1.6.0-1
pn libwpd-tools <none>
pn mnemo2 <none>
pn php-net-imap <none>
pn php5-auth-pam <none>
ii php5-common [php5-mhash] 5.5.8+dfsg-3
pn ppthtml <none>
pn rpm <none>
pn source-highlight <none>
pn turba2 <none>
pn unrtf <none>
pn webcpp <none>
pn wv <none>
pn xlhtml <none>
-- Configuration Files:
/etc/horde/horde3/.htaccess [Errno 13] Permission denied:
u'/etc/horde/horde3/.htaccess'
/etc/horde/horde3/conf.php [Errno 13] Permission denied:
u'/etc/horde/horde3/conf.php'
/etc/horde/horde3/conf.xml [Errno 13] Permission denied:
u'/etc/horde/horde3/conf.xml'
/etc/horde/horde3/hooks.php [Errno 13] Permission denied:
u'/etc/horde/horde3/hooks.php'
/etc/horde/horde3/mime_drivers.php [Errno 13] Permission denied:
u'/etc/horde/horde3/mime_drivers.php'
/etc/horde/horde3/motd.php [Errno 13] Permission denied:
u'/etc/horde/horde3/motd.php'
/etc/horde/horde3/nls.php [Errno 13] Permission denied:
u'/etc/horde/horde3/nls.php'
/etc/horde/horde3/prefs.php [Errno 13] Permission denied:
u'/etc/horde/horde3/prefs.php'
/etc/horde/horde3/registry.d/README [Errno 13] Permission denied:
u'/etc/horde/horde3/registry.d/README'
/etc/horde/horde3/registry.php [Errno 13] Permission denied:
u'/etc/horde/horde3/registry.php'
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: horde3
Source-Version: 3.3.8+debian0-3
We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 737...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Micah Anderson <mi...@debian.org> (supplier of updated horde3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 30 Jan 2014 11:43:09 -0500
Source: horde3
Binary: horde3 pear-horde-channel
Architecture: source all
Version: 3.3.8+debian0-3
Distribution: squeeze-security
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hack...@lists.alioth.debian.org>
Changed-By: Micah Anderson <mi...@debian.org>
Description:
horde3 - horde web application framework
pear-horde-channel - pear.horde.org channel
Closes: 737149
Changes:
horde3 (3.3.8+debian0-3) squeeze-security; urgency=high
.
* Fix for CVE-2014-1691 (Closes: #737149)
Checksums-Sha1:
317fc812034106856ed78e273786b313d3cd2bf0 2188 horde3_3.3.8+debian0-3.dsc
abe1e1926a3abc5fb0fa1290101b31db34732870 7669669
horde3_3.3.8+debian0.orig.tar.gz
e9de20e633c1a39c25820a3aff2815d73d611496 30733 horde3_3.3.8+debian0-3.diff.gz
034d5a6c63dc5b5cacad50434370de883cb12cc9 7706792 horde3_3.3.8+debian0-3_all.deb
fca1b7d19503d940735c66d859625958bbd0e180 16664
pear-horde-channel_3.3.8+debian0-3_all.deb
Checksums-Sha256:
cf47380ad913bab77aca648d59b5698edaa4c06315b13c350880d3404ca90a24 2188
horde3_3.3.8+debian0-3.dsc
456f598e8fd46f622d0e33ea3da236d122795c6b1185d1185f0219a94f61528e 7669669
horde3_3.3.8+debian0.orig.tar.gz
c3a24684c517645d6ffb843d5f9a3e67aa38578533505b830889ffbb7113dd8f 30733
horde3_3.3.8+debian0-3.diff.gz
a1d910b1b5f7e9b64b770733338498faa43e8a2896178c080a8feee45f411730 7706792
horde3_3.3.8+debian0-3_all.deb
cd4a247b2664e997c50f81378a917709f55df86772d0baedb4bdf790be160c04 16664
pear-horde-channel_3.3.8+debian0-3_all.deb
Files:
098b6dea25e27142d12244b603e9fcf2 2188 web optional horde3_3.3.8+debian0-3.dsc
0372e36ffbce0a30c51e266ecd27195b 7669669 web optional
horde3_3.3.8+debian0.orig.tar.gz
bea24d6587106235a5f226ee22e3b14b 30733 web optional
horde3_3.3.8+debian0-3.diff.gz
1aa746a99bfed1ff3264ff0b1a9c784b 7706792 web optional
horde3_3.3.8+debian0-3_all.deb
ba963ccd993bf4a9ad70384d166b890c 16664 web optional
pear-horde-channel_3.3.8+debian0-3_all.deb
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJS6uk8XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0Nzc3NTM1RkU1NDcxNTYyNjI2MDc3QjU4
Q0JGOUEzMjI4NjFBNzkwAAoJEIy/mjIoYaeQ1iwP/irmMIATgaeffomLtjxTlt1G
/0UPGSpZlQb7n9U194W1n++bjyfkEvz5KpzfeayzOYwpjVS/143I0i8o9JLpkkXz
iyzj72FYeH0E7Ewq9OfY3OF0EG47jTAkfWDyQR1P7OHMzisIenfHbRj3ghJqpGc7
O6a1iu66I08CpLQyPjhAKhjNH9rrYQYu9mLUXQmEzxAZEdqdVIHQi/JQNjkHKsTV
5FYism539N9o6nblYSH/NXmbIdNuOghOIePfMIqIOyCzdZZuNYrVz5rLHDDRB3cw
A6ofks4Sj0OXrFCwu6/iXHVT7Yw02/HkM+ymnatJ0/4MmokHJXtWr8aLR6RWgomh
888sv1TiEKLp/y+3zi4VgGz6RIV8da9n/NDMhSimH+vHfC4B+N2BNWjQzuCdrxGk
ktZBbrLpBrpvckcfUL61SvR9Gd3tg/jb9ANh1F6z++vNvFewGT93YCFPtTEUb9L/
8RKSQIC9njbPq3hb/obVp8EcgpgxoaVyfS6cSO2VHTqCRmvp74OuZPvXrwBlLMKL
t42ejTXpYuvuawwJQU66NPjR46lFGDm2vOQMYa1SOT+RLfztp15LxkG8H2GOlHde
zPA4rB1y/M50TgoZ6bZ4Z/adIUthfZfNdMikt2YMAwYBjo2erjYNWhPGCT1jLJwS
Lf9gIuuTIwR3IePaSpZi
=BPaK
-----END PGP SIGNATURE-----
--- End Message ---
