[pkg-horde] Bug#470640: horde3: CVE-2008-1284 file inclusion vulnerability
Nico Golde
nion at debian.org
Wed Mar 12 12:27:49 UTC 2008
Package: horde3
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for horde3.
CVE-2008-1284[0]:
| Directory traversal vulnerability in Horde 3.1.6, Groupware before
| 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with
| certain configurations, allows remote authenticated users to read and
| execute arbitrary files via ".." sequences and a null byte in the
| theme name.
Patch is on:
http://ftp.horde.org/pub/horde/patches/patch-horde-3.1.6-3.1.7.gz
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1284
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-horde-hackers/attachments/20080312/6e679cc1/attachment.pgp
More information about the pkg-horde-hackers
mailing list