[pkg-horde] [SCM] Debian Horde Packages repository: horde3 package branch, debian-lenny, updated. 1f5981559224b20f8cfc7d880e4198cdfb9b17d6

Gregory Colpart reg at debian.org
Mon May 24 23:20:13 UTC 2010 

The following commit has been merged in the debian-lenny branch:
commit 1f5981559224b20f8cfc7d880e4198cdfb9b17d6
Author: Gregory Colpart <reg at debian.org>
Date:   Mon May 24 23:32:43 2010 +0200

    security upload, thanks to white at debian.org

diff --git a/debian/changelog b/debian/changelog
index d0df76d..51ac34d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+horde3 (3.2.2+debian0-2+lenny2) stable-security; urgency=high
+
+  * Non-maintainer upload by the security team
+  * Fix several cross-site scripting vulnerabilities via crafted number
+    preferences or inline MIME text parts when using text/plain as MIME
+    type (horde ticket #8311 and #8399) (Issue was fixed in the previous
+    version, but adjusting the conffile was missing)
+    Fixes: CVE-2009-3237
+  * Fix cross-site scripting vulnerability via data:text/html values in
+    an HTML email message (horde ticket #8715)
+    Fixes: CVE-2009-4363
+  * Fix several cross-site scripting vulnerabilities via the PATH_INFO
+    variable due to use of the PHP_SELF variable
+    Fixes: CVE-2009-3701
+
+ -- Steffen Joeris <white at debian.org>  Tue, 05 Jan 2010 13:02:24 +0100
+
 horde3 (3.2.2+debian0-2+lenny1) stable-security; urgency=high
 
   * Add patch stuff on debian/rules to have clean security patches.
diff --git a/debian/patches/0002-CVE-2009-3237.patch b/debian/patches/0002-CVE-2009-3237.patch
new file mode 100644
index 0000000..fb7022d
--- /dev/null
+++ b/debian/patches/0002-CVE-2009-3237.patch
@@ -0,0 +1,11 @@
+--- ../old/horde3-3.2.2+debian0/config/mime_drivers.php.dist	2010-01-05 11:07:10.000000000 +0000
++++ horde3-3.2.2+debian0/config/mime_drivers.php.dist	2010-01-05 11:42:45.000000000 +0000
+@@ -124,7 +124,7 @@
+  * Default text driver settings
+  */
+ $mime_drivers['horde']['simple'] = array(
+-    'inline' => true,
++    'inline' => false,
+     'handles' => array(
+         'text/*'
+     ),
diff --git a/debian/patches/0003-CVE-2009-4363.patch b/debian/patches/0003-CVE-2009-4363.patch
new file mode 100644
index 0000000..4c1bc89
--- /dev/null
+++ b/debian/patches/0003-CVE-2009-4363.patch
@@ -0,0 +1,18 @@
+--- ../old/horde3-3.2.2+debian0/lib/Horde/Text/Filter/xss.php	2010-01-05 11:07:10.000000000 +0000
++++ horde3-3.2.2+debian0/lib/Horde/Text/Filter/xss.php	2010-01-05 11:53:10.000000000 +0000
+@@ -190,6 +190,15 @@
+             $patterns[$pattern] = '<' . $this->_params['replace'] . '_tag';
+         }
+ 
++        /* Strip out data URLs living in an A HREF element (Bug #8715). */
++        $malicious = '/<((?:a|&#0*65;?|&#0*41;?|&#0*97;?|&#0*61;?)\b[^>]+?)' .
++            '(?:h|&#0*72;?|&#0*48;?|&#0*104;?|&#0*68;?)\s*' .
++            '(?:r|&#0*82;?|&#x0*52;?|&#0*114;?|&#x0*72;?)\s*' .
++            '(?:e|&#0*69;?|&#0*45;?|&#0*101;?|&#0*65;?)\s*' .
++            '(?:f|&#0*70;?|&#0*46;?|&#0*102;?|&#0*66;?)\s*=' .
++            '("|\')?\s*data:(?(2)[^"\')>]*|[^\s)>]*)(?(2)\\2)/is';
++        $patterns[$malicious] = '<$1';
++
+         /* Comment out style/link tags. */
+         if ($this->_params['strip_styles']) {
+             if ($this->_params['strip_style_attributes']) {
diff --git a/debian/patches/0004-CVE-2009-3701.patch b/debian/patches/0004-CVE-2009-3701.patch
new file mode 100644
index 0000000..d56325d
--- /dev/null
+++ b/debian/patches/0004-CVE-2009-3701.patch
@@ -0,0 +1,36 @@
+diff -uNr horde-3.3.5/admin/cmdshell.php horde-3.3.6/admin/cmdshell.php
+--- horde-3.3.5/admin/cmdshell.php	2009-01-06 16:22:10.000000000 +0100
++++ horde3-3.2.2+debian0/admin/cmdshell.php	2009-10-13 17:52:07.000000000 +0200
+@@ -43,7 +43,7 @@
+ }
+ ?>
+ 
+-<form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
++<form action="cmdshell.php" method="post">
+ <?php Util::pformInput() ?>
+ <label for="cmd" class="hidden"><?php echo _("Command") ?></label>
+ <textarea class="fixed" id="cmd" name="cmd" rows="10" cols="60">
+diff -uNr horde-3.3.5/admin/phpshell.php horde-3.3.6/admin/phpshell.php
+--- horde-3.3.5/admin/phpshell.php	2009-01-06 16:22:10.000000000 +0100
++++ horde3-3.2.2+debian0/admin/phpshell.php	2009-10-13 17:52:07.000000000 +0200
+@@ -39,7 +39,7 @@
+ 
+ ?>
+ <div style="padding:10px">
+-<form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
++<form action="phpshell.php" method="post">
+ <?php Util::pformInput() ?>
+ 
+ <h1 class="header"><?php echo _("PHP Shell") ?></h1>
+diff -uNr horde-3.3.5/admin/sqlshell.php horde-3.3.6/admin/sqlshell.php
+--- horde-3.3.5/admin/sqlshell.php	2009-01-06 16:22:10.000000000 +0100
++++ horde3-3.2.2+debian0/admin/sqlshell.php	2009-10-13 17:52:07.000000000 +0200
+@@ -26,7 +26,7 @@
+ ?>
+ <div style="padding:10px">
+ <h1 class="header"><?php echo _("SQL Shell") ?></h1><br />
+-<form name="sqlshell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
++<form name="sqlshell" action="sqlshell.php" method="post">
+ <?php Util::pformInput() ?>
+ 
+ <?php

-- 
Debian Horde Packages repository: horde3 package

More information about the pkg-horde-hackers mailing list