[pkg-horde] Re: horde problem.

Martin Schulze joey at infodrom.org
Wed Mar 29 15:45:04 UTC 2006


Lionel Elie Mamane wrote:
> > Are you able to provide fixed packages for woody,
> 
> Not affected: contains only horde.

Ok.

> > sarge and sid
> 
> Affected. Even the just uploaded 3.1 (currently in incoming) is
> affected.

Ok.

> To fix sarge: The diff between upstream 3.0.9 and 3.0.10 is the best
> starting point I know of; the changelog is:
> 
>     * Fix for remote code execution vulnerability in the help viewer,
>       discovered by Jan Schneider from the Horde team.
>     * Fixed a few minor bugs.
> 
> Fix of sid/etch should happen by upload of upstream 3.1.1.
> 
> > soon,
> 
> Personally, I have a security update to Mailman to prepare, and then I
> can turn to Horde3. Which means I *might* be able to do something
> Thursday evening (today is not totally excluded); if not then the next
> probable Debian-slot is Sunday or Monday.

If the horde problem is arbitrary execution of remotely injected
php code, then it is a lot more serious than the dos/mbox crash
bug in mailman because it means remote access to machines where
people are not supposed to have remote access to.

> In the team, opal has been active lately, so he may surprise us with
> an update soon.

That would be appreciated.

Regards,

	Joey

-- 
The only stupid question is the unasked one.



More information about the pkg-horde-hackers mailing list