[pkg-horde] horde problem.
Lionel Elie Mamane
lionel at mamane.lu
Wed Mar 29 18:19:51 UTC 2006
On Wed, Mar 29, 2006 at 08:07:50PM +0200, Lionel Elie Mamane wrote:
> On Wed, Mar 29, 2006 at 05:04:27PM +0200, Martin Schulze wrote:
>> I've been told (haven't had the time to check on my own) that a very
>> serious security problem in horde has been discovered.
>> Are you able to provide fixed packages for woody, sarge and sid
>> soon, if the version in one of these distributions is affected
>> by this problem?
> Update for sarge is at http://people.debian.org/horde/ . Review
> recommended and appreciated. Summary of issues and changes:
Forgot woody; will address it after dinner.
> - Remote code execution in help browser (eval() of user-provided
> data). CVE to be allocated. My packages use "CVE-UNKNOWN-TODO" as a
> placeholder. (from 3.0.10)
Woody not affected.
> - CVE-2006-1260: allows remote attackers to read arbitrary files via
> a null character in the url parameter in services/go.php, which
> bypasses a sanity check. (from 3.0.10)
Woody affected.
> - CVE-2005-4190: several XSS problems in the share edit window. (from
> 3.0.8)
Not sure about Woody status; probably not affected.
--
Lionel
More information about the pkg-horde-hackers
mailing list