[pkg-horde] Bug#464058: [horde-vendor] Bug#464058: turba access checking issue
Gregory Colpart
reg at evolix.fr
Tue Feb 19 00:34:27 UTC 2008
Hi,
On Mon, Feb 18, 2008 at 06:26:38PM -0500, Chuck Hagenbuch wrote:
> The 2.1.4 patch seems to have a bunch of extra stuff in it - I would
> just do the changes to Group.php, sql.php, and browse.php. If you're
> also including different fixes those would have to be reviewed
> separately - those changes are a bit harder to follow.
I apologize because this patch includes *two* security patches:
- [jan] SECURITY: Fix privilege escalation in Horde API => from 2.1.6
- [cjh] SECURITY: Fix unchecked access to contacts in the same
SQL table (Bug #6208). => from 2.1.7 (patch spoken in this thread)
For 2.0.2, I include one more security patch:
- [cjh] Close several XSS vulnerabilities with address book and
contact data. => from 2.0.5
For easy reviewing, I include comments in my patches like:
--8<--
// backport security patch from Turba 2.*.*
--8<--
> >Note: FYI, Debian security team requested CVE id for this security issue.
>
> We got the report from you, so unless you created one I don't think
> there is one. Or do you mean that they started the process of creating
> one from CVE?
Yes, they started the process of creating one. We're waiting it.
Regards,
--
Gregory Colpart <reg at evolix.fr> GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
More information about the pkg-horde-hackers
mailing list