[Secure-testing-team] Re: horde problem.
Martin Schulze
joey at infodrom.org
Wed Mar 29 15:45:04 UTC 2006
Lionel Elie Mamane wrote:
> > Are you able to provide fixed packages for woody,
>
> Not affected: contains only horde.
Ok.
> > sarge and sid
>
> Affected. Even the just uploaded 3.1 (currently in incoming) is
> affected.
Ok.
> To fix sarge: The diff between upstream 3.0.9 and 3.0.10 is the best
> starting point I know of; the changelog is:
>
> * Fix for remote code execution vulnerability in the help viewer,
> discovered by Jan Schneider from the Horde team.
> * Fixed a few minor bugs.
>
> Fix of sid/etch should happen by upload of upstream 3.1.1.
>
> > soon,
>
> Personally, I have a security update to Mailman to prepare, and then I
> can turn to Horde3. Which means I *might* be able to do something
> Thursday evening (today is not totally excluded); if not then the next
> probable Debian-slot is Sunday or Monday.
If the horde problem is arbitrary execution of remotely injected
php code, then it is a lot more serious than the dos/mbox crash
bug in mailman because it means remote access to machines where
people are not supposed to have remote access to.
> In the team, opal has been active lately, so he may surprise us with
> an update soon.
That would be appreciated.
Regards,
Joey
--
The only stupid question is the unasked one.
More information about the Secure-testing-team
mailing list