[pkg-horde] Re: [sf@sfritsch.de: Bug#396099: CVE-2006-5449: Ingo
Folder Name Shell Command Injection Vulnerability]
Lionel Elie Mamane
lionel at mamane.lu
Wed Nov 1 22:45:15 CET 2006
On Tue, Oct 31, 2006 at 01:31:46PM +0100, Moritz Muehlenhoff wrote:
> Hi Lionel
>> At first sight, sarge is affected. I haven't had time yet to
>> extract/backport a fix, but new upstream version fixing that in sid
>> will be uploaded in a few minutes.
> Please review and test (I don't have a Horde setup) attached patch
> for Sarge.
With maintainer hat on, I officially bless this patch. Package based
on this patch available at http://people.debian.org/~lmamane/ .
Here is a suggested announcement:
Package : ingo1
Vulnerability : programming error
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2006-5449
Debian Bug : 396099
Due to insufficient escaping of user-provided data in created procmail
rules files, a remote authenticated user can execute arbitrary
commands as himself, albeit he may not have shell access to the
machine.
For the stable distribution (sarge), this problem has been fixed in
version 1.0.1-1sarge1.
For the unstable distribution (sid), this problem has been fixed in
version 1.1.2-1.
We recommend that you upgrade your ingo1 package.
More information about the pkg-horde-hackers
mailing list