[pkg-horde] horde problem.
Lionel Elie Mamane
lionel at mamane.lu
Wed Mar 29 19:10:16 UTC 2006
On Wed, Mar 29, 2006 at 08:19:51PM +0200, Lionel Elie Mamane wrote:
> On Wed, Mar 29, 2006 at 08:07:50PM +0200, Lionel Elie Mamane wrote:
>> On Wed, Mar 29, 2006 at 05:04:27PM +0200, Martin Schulze wrote:
>>> I've been told (haven't had the time to check on my own) that a very
>>> serious security problem in horde has been discovered.
>>> Are you able to provide fixed packages for woody, sarge and sid
>>> soon, if the version in one of these distributions is affected
>>> by this problem?
>> Update for sarge is at http://people.debian.org/horde/ .
> Forgot woody; will address it after dinner.
>> - CVE-2006-1260: allows remote attackers to read arbitrary files via
>> a null character in the url parameter in services/go.php, which
>> bypasses a sanity check. (from 3.0.10)
> Woody affected.
http://www.securityfocus.com/bid/17117 lists the version in Woody as
being affected, but I cannot find the code in question anywhere in
horde in woody. The vulnerability stems from a call to readfile() with
improperly sanitised user data. The whole source doesn't contain the
string "readfile".
>> - CVE-2005-4190: several XSS problems in the share edit window. (from
>> 3.0.8)
> Not sure about Woody status; probably not affected.
Ditto; cannot find similar code in the woody version.
OK, now horde2 in sarge... Stay tuned...
--
Lionel
More information about the pkg-horde-hackers
mailing list