[pkg-horde] Bug#464058: [horde-vendor] Bug#464058: turba access checking issue

Gregory Colpart reg at evolix.fr
Thu Feb 21 01:41:41 UTC 2008


Hello,

The package turba2 has vulnerabilities (See CVE-2008-0807, bug
#464058 and changelogs of fixed sarge/etch packages).

I prepared fixed packages:

- Sarge version (source package and debdiff):
http://gcolpart.evolix.net/debian/turba2/turba2_2.0.2-1sarge1.dsc
http://gcolpart.evolix.net/debian/turba2/turba2_2.0.2-1_2.0.2-1sarge1.diff

- Etch version (source package and debdiff):
http://gcolpart.evolix.net/debian/turba2/turba2_2.1.3-1etch1.dsc
http://gcolpart.evolix.net/debian/turba2/turba2_2.1.3-1_2.1.3-1etch1.diff

Information for the advisory:

8<----------------------------------
turba2 -- several vulenrabilities

Date Reported:
    ?? Feb 2008
Affected Packages:
    turba2
Vulnerable:
    Yes
Security database references:
    In Mitre's CVE dictionary: CVE-2008-0807
More information:

It was discovered that the Turba contact management component for Horde
framework has several vulnerabilities, allows authenticated users to modify
address data in the same SQL table via guessing unique key (CVE-2008-0807),
allows privilege escalation in Horde API and cross-site scripting (XSS)
vulnerabilities with address book and contact data (only for Sarge version).

The old stable distribution (sarge) this problem has been fixed in version 2.0.2-1sarge1.

For the stable distribution (etch) this problem has been fixed in version 2.1.3-1etch1.

For the unstable distribution (sid) this problem has been fixed in version 2.1.7-1.

We recommend that you upgrade your turba2 package.
8<----------------------------------


Regards,
-- 
Gregory Colpart <reg at evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/





More information about the pkg-horde-hackers mailing list