Your message dated Wed, 03 May 2017 05:48:26 +0000 with message-id <e1d5n9g-0009ug...@fasolo.debian.org> and subject line Bug#859635: fixed in php-horde-crypt 2.7.5-2 has caused the Debian Bug report #859635, regarding php-horde-crypt: CVE-2017-7413 CVE-2017-7414 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 859635: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859635 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-horde-crypt Version: 2.7.5-1 Severity: grave Tags: security upstream Justification: user security hole Hi, the following vulnerabilities were published for php-horde-crypt. CVE-2017-7413[0]: | In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition | through 5.2.17, OS Command Injection can occur if the attacker is an | authenticated Horde Webmail user, has PGP features enabled in their | preferences, and attempts to encrypt an email addressed to a | maliciously crafted email address. CVE-2017-7414[1]: | In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition | 5.x through 5.2.17, OS Command Injection can occur if the user has PGP | features enabled in the user's preferences, and has enabled the "Should | PGP signed messages be automatically verified when viewed?" preference. | To exploit this vulnerability, an attacker can send a PGP signed email | (that is maliciously crafted) to the Horde user, who then must either | view or preview it. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7413 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7413 [1] https://security-tracker.debian.org/tracker/CVE-2017-7414 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7414 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-horde-crypt Source-Version: 2.7.5-2 We believe that the bug you reported is fixed in the latest version of php-horde-crypt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 859...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mathieu Parent <sath...@debian.org> (supplier of updated php-horde-crypt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 03 May 2017 07:15:32 +0200 Source: php-horde-crypt Binary: php-horde-crypt Architecture: source all Version: 2.7.5-2 Distribution: unstable Urgency: medium Maintainer: Horde Maintainers <pkg-horde-hack...@lists.alioth.debian.org> Changed-By: Mathieu Parent <sath...@debian.org> Description: php-horde-crypt - ${phppear:summary} Closes: 859635 Changes: php-horde-crypt (2.7.5-2) unstable; urgency=medium . * Escape user provided recipients and charset data. Fixes CVE-2017-7413 and CVE-2017-7414 (Closes: #859635) Checksums-Sha1: 6440ba3bbe64b6c7fe3a27a036535c6732d8525a 2113 php-horde-crypt_2.7.5-2.dsc c997ede496d161dd5ea7723620f204dca6b0d6a7 3516 php-horde-crypt_2.7.5-2.debian.tar.xz 08dc3d3d3380cc23c25633eaf54ca27c243320e7 111882 php-horde-crypt_2.7.5-2_all.deb 215cc74074f098742812c0cc22374fd19b808b47 6225 php-horde-crypt_2.7.5-2_amd64.buildinfo Checksums-Sha256: 8f98db7d046de2ed8b0f4372e074d6d1de9fd1e64ddf940021f787816bf01c85 2113 php-horde-crypt_2.7.5-2.dsc 7d8f0be8e7aa45d5f6fe2a0a1bf47c525a1593098cfa893db4bb4e53ae6e41f0 3516 php-horde-crypt_2.7.5-2.debian.tar.xz 85f4eedea48712e8c878454a3d1fbcbd9869c22887ca4c8bdf7f516ad8b3938b 111882 php-horde-crypt_2.7.5-2_all.deb 389d9c679971c780ed9b0c1bc382c5d222eeb2231e193851605e4fdfcce8e4bc 6225 php-horde-crypt_2.7.5-2_amd64.buildinfo Files: 39dc9ebd1654a6f8e7f57743dc4e03f1 2113 php extra php-horde-crypt_2.7.5-2.dsc 693d7743709c91d5f0a0ca693d467f8d 3516 php extra php-horde-crypt_2.7.5-2.debian.tar.xz 6ce6614c053bee5891b51b9e51a38c14 111882 php extra php-horde-crypt_2.7.5-2_all.deb 01d61d04a68b34c9555029f3d8167b42 6225 php extra php-horde-crypt_2.7.5-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEqIGbPTP9weQZ135HrgOYBGZoH6UFAlkJanUTHHNhdGhpZXVA ZGViaWFuLm9yZwAKCRCuA5gEZmgfpc31D/94r9BScMKPvOdb8wuMRzH5y17IQHBR n/qicGLLtaMBPcsat98CSVDv+ereIuX6+lVp+AQXU0e3WgY4tbRHNCLdVn6p8rdB INpI8tmqZyYbuHK9e4NtDRfhRuGCpBu0R/VSNUp8KK4vY9gW3V8Mkgaev5CR1rzX 1PUVrNPI0cjN1J6t2+gInpKkFvv2j6IOcMeC71Gb57QkpCbAbEZlm756jQVb1JUx dmE45N5stSZ8szuxJdZF8ppJlHo9jbMrxENGw2g4qQ2fTvdESFEUI6qKGRSJx9xM FexuT6z9QIRXeWhxtrw8GnnqWWZTpPBR/wt9rgTr4s2OE9lbd5CQwR/v9CXMeMVM GztzemNm+yP84HnlVHiNug5qHzNs8LaV6Q+9MjbAJZDaYvChQw2lOq3L3O8DJ/n/ qViOzuRLTbGriERnGDNpWYog9rUadVgT+QuYrZt9PhFDWVmtUPYwbzbHM94fl+bP 0FF6kX2gUK1hgR6N1745EiXTkoeWytA6FzOsLC6NrDaBctPl8YqwdgbXH/eyKGBf TgjpCx/5okaU2pIAw55s7IIi7F+3Dww6PIMHYRYouNaBOSed0TeoQFFgKOxx+hMV 0rL9T4Zja+7H+QmjSzd2phApDZ06KmZlekrqGoDEC+fEpUPV40y5wWWD9YF9ZcJF 21XHjGzxY8uO+g== =AIMW -----END PGP SIGNATURE-----
--- End Message ---
