Bug#909737: marked as done (php-horde-kronolith: CVE-2017-16906 XSS via URL field)

[Debian Bug Tracking System]

Your message dated Mon, 08 Oct 2018 08:45:39 +0000
with message-id <e1g9raz-000epa...@fasolo.debian.org>
and subject line Bug#909737: fixed in php-horde-kronolith 4.2.24-1
has caused the Debian Bug report #909737,
regarding php-horde-kronolith: CVE-2017-16906 XSS via URL field
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
909737: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909737
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: php-horde-kronolith
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for php-horde-kronolith.

CVE-2017-16906[0]:
| In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a
| "Calendar -> New Event" action.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-16906
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16906

Please adjust the affected versions in the BTS as needed.

signature.asc
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

Source: php-horde-kronolith
Source-Version: 4.2.24-1

We believe that the bug you reported is fixed in the latest version of
php-horde-kronolith, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 909...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mathieu Parent <sath...@debian.org> (supplier of updated php-horde-kronolith 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 08 Oct 2018 09:51:44 +0200
Source: php-horde-kronolith
Binary: php-horde-kronolith
Architecture: source all
Version: 4.2.24-1
Distribution: unstable
Urgency: medium
Maintainer: Horde Maintainers <team+debian-horde-t...@tracker.debian.org>
Changed-By: Mathieu Parent <sath...@debian.org>
Description:
 php-horde-kronolith -
Closes: 909737 909738
Changes:
 php-horde-kronolith (4.2.24-1) unstable; urgency=medium
 .
   * New upstream version 4.2.24
   * CVE-2017-16906 XSS via URL field (Closes: #909737)
   * CVE-2017-16908 XSS via Name field (Closes: #909738)
Checksums-Sha1:
 851c7b44f005ecf4907273b5a5faa8be63cddf74 2175 php-horde-kronolith_4.2.24-1.dsc
 0ff53e58c4b9b519dcf672a6c2b0226712245d6f 2644494 
php-horde-kronolith_4.2.24.orig.tar.gz
 eaf94c632dc1679f18a11dab3696cc947364aab4 4800 
php-horde-kronolith_4.2.24-1.debian.tar.xz
 e4a3d4cd98323e4c46e2a2b93ae8cfe451fbdf9f 1394764 
php-horde-kronolith_4.2.24-1_all.deb
 a5827569a9aacb4a562fa6b561700bb3c99d4c57 6234 
php-horde-kronolith_4.2.24-1_amd64.buildinfo
Checksums-Sha256:
 275680fe9461c4d5a77475b3646c5c77e9e2d69169d552242df8b91e5f1954d5 2175 
php-horde-kronolith_4.2.24-1.dsc
 adde767c5fa90a5cb3848188681dae11f64d7fc51a5698742942dbf699ed2507 2644494 
php-horde-kronolith_4.2.24.orig.tar.gz
 17ae36bc6af4459ab554d640b9b2ba1169fc767c01b5d1fa29fa12b6e91dbf87 4800 
php-horde-kronolith_4.2.24-1.debian.tar.xz
 5526c1f6003703267677aa71db08389a289f24b864fa05007662afde700925ad 1394764 
php-horde-kronolith_4.2.24-1_all.deb
 5595d01d71658e0af648d4a79d311319d381f0bf7a7e8d6d42db24e895ebaa3a 6234 
php-horde-kronolith_4.2.24-1_amd64.buildinfo
Files:
 9ecf98b7a507645bf584ad4687675f81 2175 php optional 
php-horde-kronolith_4.2.24-1.dsc
 816c12223eaf6618fff3534a59a9eace 2644494 php optional 
php-horde-kronolith_4.2.24.orig.tar.gz
 07ce38e710395764d75d3892472beadd 4800 php optional 
php-horde-kronolith_4.2.24-1.debian.tar.xz
 ada6de7001de666ebec9174531314eb6 1394764 php optional 
php-horde-kronolith_4.2.24-1_all.deb
 6148ade3dd6bb6ce86f64fb8cffc04a3 6234 php optional 
php-horde-kronolith_4.2.24-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEqIGbPTP9weQZ135HrgOYBGZoH6UFAlu7DtoTHHNhdGhpZXVA
ZGViaWFuLm9yZwAKCRCuA5gEZmgfpUZQEACQ8aO6OMAdqC4QP5TfRdQuA0DYHAGX
RR+V24ciYlFl3WAHRthqdU55rbRb1UXDukOi8d+SqckGNcnh15oslUbML4kA+FvV
QfsNKc8RsyFkr/+OoimcYo4ZMP+brnv70lbODbxvIKaJyUOM0LmkpAGp/NeRHuNO
wxPCYWkS4swjHJ2lZZ/3Xm0+t6t+0As4KV5dNyXlfkdh/qZS5kzGIGzyJXsuYwwn
j/hAMlfFIKh5kzRFFVGnwCgK8sOF2AJJHzQCRZXRqFApsysSxdy3G/vm3kMiw2hL
YP6KmxUL/j9Eb9sBsVtsQUg4HTEoJeb4VhfRM7UUBNeSe3TE4xq3JJrfjNdIllIC
5AkQ6+ds2wXg1FtYdvWgOxax6VS0nUP0DkoLobTpCEVcmBnugmpKqPMr0x1T84fh
kEVX2OsKQTeNBe5LqZkY0xXdtSUH48InaZwGUnVhs57h44VFjsG6ls2VS+BPxzWf
0UlHxJHfV215P409qVFWerxaWeJo5a8PbhBuKvZhu5IDQB3YxvcoO/z8MXZYFTYb
bNI/5WXKFN7ASLHmDSrk17WGAZeCucuVbdrHjnWy73ZQ+xj4xZGLLEgg+GcHinOc
O3CFEd2mb391IwvneOlmDg12VsRf70KtG7M+qwgxwArdzE4k5cW1b+n12dcIWp4v
nOEZTFYN+3baaA==
=ZoJ4
-----END PGP SIGNATURE-----

--- End Message ---