[pkg-horde] Bug#400899: kronolith2 permits arbitrary file access under user running CGIs or HTTP server

Lionel Elie Mamane lionel at mamane.lu
Wed Nov 29 12:53:51 UTC 2006

Package: kronolith2
Severity: critical
Version: 2.0.0
Tags: security

Apparently, there was a way to force kronolith2 versions 2.1.0 up to
2.1.3 (and 2.0.0 up to 2.0.7) to include an arbitrary file in some
page it serves. Solved by new upstream version. CVE number unknown.

Unknown whether kronolith (1.x) in sarge is similarly vulnerable (that
version is not supported upstream anymore).

-------------- next part --------------
An embedded message was scrubbed...
From: Jan Schneider <jan at horde.org>
Subject: [announce] [SECURITY] Kronolith H3 (2.1.4) (final)
Date: Wed, 29 Nov 2006 13:42:23 +0100 (CET)
Size: 4980
Url: http://lists.alioth.debian.org/pipermail/pkg-horde-hackers/attachments/20061129/fa012e38/attachment.mht

More information about the pkg-horde-hackers mailing list