[pkg-horde] Re: horde problem.
Moritz Muehlenhoff
jmm at inutil.org
Wed Mar 29 15:35:51 UTC 2006
Martin Schulze wrote:
> I've been told (haven't had the time to check on my own) that
> a very serious security problem in horde has been discovered.
>
> Are you able to provide fixed packages for woody, sarge and sid
> soon, if the version in one of these distributions is affected
> by this problem?
According to upstream Woody isn't affected. I've extracted the fix, that
should apply cleanly to Sarge:
diff -uNr horde-3.0.9/services/help/index.php horde-3.0.10/services/help/index.php
--- horde-3.0.9/services/help/index.php Mon Jan 3 04:25:45 2005
+++ horde-3.0.10/services/help/index.php Tue Mar 28 04:33:33 2006
@@ -53,7 +53,7 @@
require HORDE_TEMPLATES . '/help/menu.inc';
} elseif ($show == 'about') {
require $fileroot . '/lib/version.php';
- eval('$version = "' . ucfirst($module) . ' " . ' . String::upper($module) . '_VERSION;');
+ $version = String::ucfirst($module) . ' ' . constant(String::upper($module) . '_VERSION');
$credits = Util::bufferOutput('include', $fileroot . '/docs/CREDITS');
$credits = String::convertCharset($credits, 'iso-8859-1', NLS::getCharset());
require HORDE_TEMPLATES . '/help/about.inc';
Unfortunately I'm very busy today, so I can't push out an update. Possibly
tomorrow, but I'd be good if one you could go ahead, as this seems very
easily exploitable.
Cheers,
Moritz
More information about the pkg-horde-hackers
mailing list