[pkg-horde] Bug#400899: kronolith2 permits arbitrary file access
under user running CGIs or HTTP server
Lionel Elie Mamane
lionel at mamane.lu
Wed Nov 29 12:53:51 UTC 2006
Package: kronolith2
Severity: critical
Version: 2.0.0
Tags: security
Apparently, there was a way to force kronolith2 versions 2.1.0 up to
2.1.3 (and 2.0.0 up to 2.0.7) to include an arbitrary file in some
page it serves. Solved by new upstream version. CVE number unknown.
Unknown whether kronolith (1.x) in sarge is similarly vulnerable (that
version is not supported upstream anymore).
--
Lionel
-------------- next part --------------
An embedded message was scrubbed...
From: Jan Schneider <jan at horde.org>
Subject: [announce] [SECURITY] Kronolith H3 (2.1.4) (final)
Date: Wed, 29 Nov 2006 13:42:23 +0100 (CET)
Size: 4980
Url: http://lists.alioth.debian.org/pipermail/pkg-horde-hackers/attachments/20061129/fa012e38/attachment.mht
More information about the pkg-horde-hackers
mailing list