Your message dated Fri, 23 May 2014 21:23:29 +0000 with message-id <e1wnww5-0001uy...@franck.debian.org> and subject line Bug#748828: fixed in collabtive 1.2+dfsg-2 has caused the Debian Bug report #748828, regarding collabtive: CVE-2014-3246 CVE-2014-3247 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 748828: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=748828 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: collabtive Severity: grave Tags: security upstream Hi, the following vulnerabilities were published for collabtive. CVE-2014-3246[0]: | SQL injection vulnerability in Collabtive 1.2 allows remote | authenticated users to execute arbitrary SQL commands via the folder | parameter in a fileview_list action to manageajax.php. CVE-2014-3247[1]: | Cross-site scripting (XSS) vulnerability in Collabtive 1.2 allows | remote authenticated users to inject arbitrary web script or HTML via | the desc parameter in an Add project (addpro) action to admin.php. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3246 https://security-tracker.debian.org/tracker/CVE-2014-3246 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3247 https://security-tracker.debian.org/tracker/CVE-2014-3247 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: collabtive Source-Version: 1.2+dfsg-2 We believe that the bug you reported is fixed in the latest version of collabtive, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 748...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Gunnar Wolf <gw...@debian.org> (supplier of updated collabtive package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 23 May 2014 11:27:55 -0500 Source: collabtive Binary: collabtive Architecture: source all Version: 1.2+dfsg-2 Distribution: unstable Urgency: high Maintainer: Gunnar Wolf <gw...@debian.org> Changed-By: Gunnar Wolf <gw...@debian.org> Description: collabtive - Web-based project management software Closes: 748828 Changes: collabtive (1.2+dfsg-2) unstable; urgency=high . * Reliability patch: Check queries return objects before iterating over them, avoiding PHP errors (and ugly blank screens) * Fix a SQL injection vulnerability in project.datei.php (ref: CVE- 2014-3246) (Closes: #748828) Checksums-Sha1: a4bc3043a95045027579690ce5db28d814f2816a 1764 collabtive_1.2+dfsg-2.dsc e96a07790c3e57711d496cb3e9c1cc30276fb66c 42644 collabtive_1.2+dfsg-2.debian.tar.xz 7162f831895cd2f4d8ab60447257245e0b81b3d6 2528946 collabtive_1.2+dfsg-2_all.deb Checksums-Sha256: 2bb505a47f9d997e7b5288cd43b0273cb14a149e7a727be9f530546fbc228d63 1764 collabtive_1.2+dfsg-2.dsc a132113a9c86d3824b2bc75d85a791e19d30901b3053a5a701c4cdbb8e6b2e80 42644 collabtive_1.2+dfsg-2.debian.tar.xz 9ebd8f43d85154938be02a2fd90ee1784d122073673933a1d27751c1da9a64cb 2528946 collabtive_1.2+dfsg-2_all.deb Files: 5199282313e8f21ffeca280f8f2e75ad 2528946 web optional collabtive_1.2+dfsg-2_all.deb 03ed8f3ac5b16ea6e673066678099527 1764 web optional collabtive_1.2+dfsg-2.dsc 666c480d5ed74ba4a1523d15d5ce69c2 42644 web optional collabtive_1.2+dfsg-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJTf6j8AAoJEGc6A+TB25IfN7UQAIBOFuae4DIknK0ph4f9sOYZ G2RzWFd3irbjqTpU7XgAnCbP/k9GRUP+q2C1wtTXf6lCgfm57bUfHaQ6LXWAyuyW F2WE7qGexOXWG/GmAmkEkWNnTkZiEtLisw25gBure0fUclUUJWAerzxd69cnyduO FTUdHQFILRaKNVrYmIXTj7bbRNViT0sgzhWxehGyYluzzqTjGVeo3zlVs5gc4wnn 366KU0onUSbeiYDcKslKyDEfxav7G477uJoe01dVSi4GHdFDljwEimhJv1PXRWIL oI/Yt7+L9hiPB8AVHR5mCnzb1gZmJIRNip3o/nzbT0yQxbZ1SpiTPUwLtQikjS3w 8pejQuC3ThSiE8NMYBC9L1TNuUoYcLDrEeqoaZANCEwkg8e36uyTrLXuwpS+77iJ hzkEBiWjh15EoJjL8XyOhoj6Re1pCzf6FOYbC6KfqF4Gj8cCqX5qVo4qhyT96LP+ o9faVGwqZfLjx2jcAyo8+iAlPWIg2oZuGocDteMibw/upkbR4u/ZIZtvGa3K5vMa WxJV/GRN0RTy6WOH8glSqA8XTKvQxeN5sUXW7TUcpU07deI86QwFsBv+33oEzT1v btezLo8yaDixeTLaOuyXcB3wQBONg/9540Fk2q2Bv5NsiHIG8U4J+UHf1ZSMSFfC bag1p63huCJmz/MANVmS =KrGR -----END PGP SIGNATURE-----
--- End Message ---
