Bug#415116: [pkg-horde] Bug#415116: horde3: arbitrary file deletion
vulnerability - local users
Ola Lundqvist
opal at debian.org
Fri Mar 16 18:24:59 CET 2007
Hi
On Fri, Mar 16, 2007 at 08:29:44AM +0100, Lionel Elie Mamane wrote:
> Package: horde3
> Version: 3.0.4-1, 3.1-1
> Severity: critical
> Tags: security
> Justification: security hole on mere installation of package
>
> Changelog for new upstream release 3.1.4 says:
>
> This (...) fixes an arbitrary file deletion vulnerability exploitable
> by local system (not Horde) users on systems using the example cron
> cleanup script.
Which we are, I assume...
> Major changes compared to Horde 3.1.4-RC1 are:
> * Correctly quote file names in cleanup script for temporary files.
>
> Actually, sarge (3.0.4) may be vulnerable or not, I haven't checked
> yet.
Likely that is the case.
Will you create a fix for this?
Regards,
// Ola
> --
> Lionel
>
>
> _______________________________________________
> pkg-horde-hackers mailing list
> pkg-horde-hackers at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-horde-hackers
>
--
--------------------- Ola Lundqvist ---------------------------
/ opal at debian.org Annebergsslingan 37 \
| ola at opalsys.net 654 65 KARLSTAD |
| +46 (0)54-10 14 30 +46 (0)70-332 1551 |
| http://opalsys.net/ UIN/icq: 4912500 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
More information about the pkg-horde-hackers
mailing list