[pkg-horde] Bug#737149: CVE-2014-1691: Remote code execution in horde < 5.1.1

micah micah at riseup.net
Thu Jan 30 17:48:06 UTC 2014

Moritz Mühlenhoff <jmm at inutil.org> writes:

> On Thu, Jan 30, 2014 at 12:00:10PM -0500, Micah Anderson wrote:
>> Package: horde3
>> Version: 3.3.8+debian0-2
>> Severity: serious
>> Tags: security
>> Justification: security issue
>> Hello,
>> As detailed on the debian security tracker[0] and reported on oss-sec[1] and assigned CVE 2014-1691, there is a remote code execution bug in horde affecting all versions from at least horde 3.1.x to 5.1.1.
>> That includes squeeze... I've got a patch that applies to the horde3 package in squeeze that resolves this issue, please find it attached[2]... I've built and tested these packages on Squeeze in an active environment. I am not certain where this particular code is used, so I wasn't sure if I was able to test exactly that code path.
>> If you would like, I can provide a package for squeeze for a DSA.
> 2. https://gist.github.com/pietro/8712454/raw/b03bc5ecb7ec1f1f778b867ecd6d9d142d0ddaf7/gistfile1.diff
> Yes, please upload a fixed oldstable package with the patch


More information about the pkg-horde-hackers mailing list