[Secure-testing-team] horde problem.
Lionel Elie Mamane
lionel at mamane.lu
Wed Mar 29 15:25:34 UTC 2006
On Wed, Mar 29, 2006 at 05:04:27PM +0200, Martin Schulze wrote:
> I've been told (haven't had the time to check on my own) that a very
> serious security problem in horde has been discovered.
Yes. Remote code execution. I don't know the details. horde and horde2
are not affected, horde3 all versions up to 3.1.1 and 3.0.10 are
affected.
> Are you able to provide fixed packages for woody,
Not affected: contains only horde.
> sarge and sid
Affected. Even the just uploaded 3.1 (currently in incoming) is
affected.
To fix sarge: The diff between upstream 3.0.9 and 3.0.10 is the best
starting point I know of; the changelog is:
* Fix for remote code execution vulnerability in the help viewer,
discovered by Jan Schneider from the Horde team.
* Fixed a few minor bugs.
Fix of sid/etch should happen by upload of upstream 3.1.1.
> soon,
Personally, I have a security update to Mailman to prepare, and then I
can turn to Horde3. Which means I *might* be able to do something
Thursday evening (today is not totally excluded); if not then the next
probable Debian-slot is Sunday or Monday.
I live in UTC+2, but my biological clock is still at UTC+1.
In the team, opal has been active lately, so he may surprise us with
an update soon.
--
Lionel
More information about the Secure-testing-team
mailing list