[pkg-horde] Bug#737149: CVE-2014-1691: Remote code execution in horde < 5.1.1
micah
micah at riseup.net
Thu Jan 30 17:48:06 UTC 2014
Moritz Mühlenhoff <jmm at inutil.org> writes:
> On Thu, Jan 30, 2014 at 12:00:10PM -0500, Micah Anderson wrote:
>> Package: horde3
>> Version: 3.3.8+debian0-2
>> Severity: serious
>> Tags: security
>> Justification: security issue
>>
>> Hello,
>>
>> As detailed on the debian security tracker[0] and reported on oss-sec[1] and assigned CVE 2014-1691, there is a remote code execution bug in horde affecting all versions from at least horde 3.1.x to 5.1.1.
>>
>> That includes squeeze... I've got a patch that applies to the horde3 package in squeeze that resolves this issue, please find it attached[2]... I've built and tested these packages on Squeeze in an active environment. I am not certain where this particular code is used, so I wasn't sure if I was able to test exactly that code path.
>>
>> If you would like, I can provide a package for squeeze for a DSA.
>
> 2. https://gist.github.com/pietro/8712454/raw/b03bc5ecb7ec1f1f778b867ecd6d9d142d0ddaf7/gistfile1.diff
>
> Yes, please upload a fixed oldstable package with the patch
Done.
More information about the pkg-horde-hackers
mailing list