[pkg-horde] Re: horde problem.

[Martin Schulze]

Lionel Elie Mamane wrote:
> On Wed, Mar 29, 2006 at 05:04:27PM +0200, Martin Schulze wrote:
> 
> > I've been told (haven't had the time to check on my own) that a very
> > serious security problem in horde has been discovered.
> 
> > Are you able to provide fixed packages for woody, sarge and sid
> > soon, if the version in one of these distributions is affected
> > by this problem?
> 
> Update for sarge is at http://people.debian.org/horde/ . Review
> recommended and appreciated. Summary of issues and changes:
> 
>  - Remote code execution in help browser (eval() of user-provided
>    data). CVE to be allocated. My packages use "CVE-UNKNOWN-TODO" as a
>    placeholder. (from 3.0.10)
> 
>  - Further removal of eval() calls that are not known (by Lionel) to
>    be exploitable. Included under general umbrella of "cleaner more
>    secure code" and "let's fix it before it is found to be
>    exploitable". (from 3.0.10)
> 
>  - CVE-2006-1260: allows remote attackers to read arbitrary files via
>    a null character in the url parameter in services/go.php, which
>    bypasses a sanity check. (from 3.0.10)
> 
>  - CVE-2005-4190: several XSS problems in the share edit window. (from
>    3.0.8)

Sounds good.

> Furthermore, these issues, being XSS vulnerabilities in applications
> of the Horde suite (in their own Debian source package) have unclear
> status for sarge (fixed in etch, sid); the question is whether the 1.x
> versions of these programs are affected by the vulnerability or
> not. (The announcements say "2.0.x and earlier", for a specific value
> of x.)
> 
>  CVE-2005-4192
>  CVE-2005-4191
> 
> We have issued a DSA for CVE-2005-4189, so it is possible that someone
> looked at -4192 and -4191 and determined they didn't affect the 1.x
> versions (and hence sarge). Can somebody confirm this?

I can't find a trace of either of them.

Regards,

	Joey

-- 
The only stupid question is the unasked one.