Your message dated Wed, 26 May 2021 19:17:09 +0000 with message-id <e1llz1h-000g9d...@fasolo.debian.org> and subject line Bug#982769: fixed in php-horde-text-filter 2.3.5-3+deb10u2 has caused the Debian Bug report #982769, regarding php-horde-text-filter: CVE-2021-26929 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 982769: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982769 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-horde-text-filter Version: 2.3.6-7 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2.3.5-3+deb10u1 Control: found -1 2.3.5-3 Hi, The following vulnerability was published for php-horde-text-filter. CVE-2021-26929[0]: | An XSS issue was discovered in Horde Groupware Webmail Edition through | 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The | attacker can send a plain text e-mail message, with JavaScript encoded | as a link or email that is mishandled by preProcess in Text2html.php, | because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with | XSS defenses. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-26929 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26929 [1] https://lists.horde.org/archives/announce/2021/001298.html [2] https://www.alexbirnberg.com/horde-xss.html [3] https://github.com/horde/Text_Filter/commit/a2f67da064d7a91440b7a2448e56a6387ab94c67 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-horde-text-filter Source-Version: 2.3.5-3+deb10u2 Done: Mike Gabriel <sunwea...@debian.org> We believe that the bug you reported is fixed in the latest version of php-horde-text-filter, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 982...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel <sunwea...@debian.org> (supplier of updated php-horde-text-filter package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 24 May 2021 00:02:12 +0200 Source: php-horde-text-filter Architecture: source Version: 2.3.5-3+deb10u2 Distribution: buster Urgency: medium Maintainer: Horde Maintainers <team+debian-horde-t...@tracker.debian.org> Changed-By: Mike Gabriel <sunwea...@debian.org> Closes: 982769 Changes: php-horde-text-filter (2.3.5-3+deb10u2) buster; urgency=medium . [ Mike Gabriel ] * debian/control: + Drop Debian QA Group from Uploaders: field, add myself instead. . [ Sylvain Beucler ] * CVE-2021-26929: An XSS issue was discovered in Horde Groupware Webmail Edition (where the Horde_Text_Filter library is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with XSS defenses. (Closes: #982769). Checksums-Sha1: ba9a1df9ac4bb9c6b46043a303411a8a273a7476 2214 php-horde-text-filter_2.3.5-3+deb10u2.dsc 4c4d139f50f924411d1c9ec858dae390dbbafcd0 6400 php-horde-text-filter_2.3.5-3+deb10u2.debian.tar.xz a977fafeeb1e289153c9a8ac17e6fdd7baea24a1 6585 php-horde-text-filter_2.3.5-3+deb10u2_source.buildinfo Checksums-Sha256: 7f03e602a9d2b6bd8633a33495200dfde956adf119153bfe2dc3c24ac3715aeb 2214 php-horde-text-filter_2.3.5-3+deb10u2.dsc 79213eb953f4e1ddb57efa4d36eb0ff23bbe22289cb005e00d92fab939d838a2 6400 php-horde-text-filter_2.3.5-3+deb10u2.debian.tar.xz 6ca36fc98c0e9d3437df6cf4f9a30f97d92283e971b9fd40ee51227d87aa21a1 6585 php-horde-text-filter_2.3.5-3+deb10u2_source.buildinfo Files: d2ca6399f2c3f4dcaae375e3757d4836 2214 php optional php-horde-text-filter_2.3.5-3+deb10u2.dsc e47c2d26dc242991a740b0cbee16d889 6400 php optional php-horde-text-filter_2.3.5-3+deb10u2.debian.tar.xz a89c0e92de1f5c57cb3a8ad9d69cbcfa 6585 php optional php-horde-text-filter_2.3.5-3+deb10u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmCq0XQVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxSQEP/jGS58hBb9WIVmI5ejO92sUk70jq IflMjRtVRN3O9OgY79IW9RfbZZHqH8SBsoA/lMMzWRp1AVWm/TStfJn8AyywvczT LWCz0cWuBMjIcJWv6ruwMtjNq+7u3nFTEkFXFARsNY1uIvCb9f87fHj0uaMrlDkU ZgqLkgH7fBWdooq12E7zlYMfunG6orEQoqSxA/GoPxQkZqGkqaGVEBTVOwgXIbwb prDK3ruBqnj++FLbH1Tv3aYnrJ4vxSFvk5Xv0Mqx7ivtfkNTwIvH7LhuPi8/M5Mn b/c+k9IlWNpR5BhSd2kO6ZLTvjJd+WzAZWYqRUprGbQa8tTeqviSI1R0tZBPcoOA oNBrGcw5n082yBwaWDsTM3h85h2s5+/5cT9wSGDcLkF/SP5PaXiadtHJMpGRf35k 630U23oQHCa2D4uQ9HD7OweuACRVEsyl9eE9KP2WMwyzZfeeHJIaBOaxasT0k3vR iRp9Y7xq6XwVx6ByObaEsX6DeGah2/v5ulGRNc5r3fCFv0u/0Z2p9v6z8hc3oPiB mRbkChkT9wsH5URK34bLxhegEMB00WoIL2McBqwRaaExsrCVoSyir8n3oH+hxgKK 58ri+c2EHVBUXu1FwrqC2QLL3ycMKRmhEiAwh2JjphTXSd9CcKhL64SfqYIXy+bu 1GVuexDuANP5s5qZ =yvXT -----END PGP SIGNATURE-----
--- End Message ---
