[pkg-horde] Bug#464058: [horde-vendor] Bug#464058: turba access checking issue

Chuck Hagenbuch chuck at horde.org
Mon Feb 18 23:26:38 UTC 2008


Quoting Gregory Colpart <reg at evolix.fr>:

> Thanks a lot for your final patches. Turba 2.1.7 is already in
> Debian unstable distribution. But for Debian stable and
> oldstable, I can't upload version 2.1.7: I need backport
> security changes. Could you review my backported patches?
>
> - Patch for Turba 2.1.4 (Debian stable):
> http://gcolpart.evolix.net/debian/turba2/turba2_2.1.3-1_2.1.3-1etch1.diff
>
> - Patch for Turba 2.0.2 (Debian oldstable):
> http://gcolpart.evolix.net/debian/turba2/turba2_2.0.2-1_2.0.2-1sarge1.diff

I don't feel qualified without a _lot_ more time to review the 2.0.x  
patch; that is very, very different from the current code.

The 2.1.4 patch seems to have a bunch of extra stuff in it - I would  
just do the changes to Group.php, sql.php, and browse.php. If you're  
also including different fixes those would have to be reviewed  
separately - those changes are a bit harder to follow.

> Note: FYI, Debian security team requested CVE id for this security issue.

We got the report from you, so unless you created one I don't think  
there is one. Or do you mean that they started the process of creating  
one from CVE?

-chuck





More information about the pkg-horde-hackers mailing list