Accepted horde3 3.0.4-4sarge6 (source all)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 9 Nov 2007 22:25:26 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.0.4-4sarge6
Distribution: oldstable-security
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
horde3 - horde web application framework
Closes: 378281 383416
Changes:
horde3 (3.0.4-4sarge6) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Argument injection vulnerability in the cleanup cron script in Horde
Project Horde and IMP before Horde Application Framework 3.1.4 allows
local users to delete arbitrary files and possibly gain privileges via
multiple space-delimited pathnames.
(CVE-2007-1474)
* services/go.php in Horde Application Framework 3.0.0 through 3.0.10 and
3.1.0 through 3.1.1 does not properly restrict its image proxy capability,
which allows remote attackers to perform "Web tunneling" attacks and use
the server as a proxy via (1) http, (2) https, and (3) ftp URL in the url
parameter, which is requested from the server.
(CVE-2006-3549)
* Multiple cross-site scripting (XSS) vulnerabilities in Horde Application
Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 allow remote
attackers to inject arbitrary web script or HTML via a (1) javascript URI
or an external (2) http, (3) https, or (4) ftp URI in the url parameter in
services/go.php (aka the dereferrer), (5) a javascript URI in the module
parameter in services/help (aka the help viewer), and (6) the name
parameter in services/problem.php (aka the problem reporting screen).
(CVE-2006-3548)
* index.php in Horde Application Framework before 3.1.2 allows remote
attackers to include web pages from other sites, which could be useful for
phishing attacks, via a URL in the url parameter, aka "cross-site
referencing." NOTE: some sources have referred to this issue as XSS, but
it is different than classic XSS.
(CVE-2006-4256)
* Closes: 383416, 378281
Files:
a829a3791ed40777b0a4995be6727f13 920 web optional horde3_3.0.4-4sarge6.dsc
ab0dc18c4744b21919c154ac81600ad7 13978 web optional horde3_3.0.4-4sarge6.diff.gz
f2cd9a0c7cb7e800d357d206d9f19841 3437942 web optional horde3_3.0.4-4sarge6_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBRzTRBWz0hbPcukPfAQKmSgf/VjlJap9ERu4xr57MnEUOF+TyCoxJuGFH
EEG0tUG8uGA9bz9wU0r1B2qdX6oSXl2DNhQMFYurF1/EXjcxJlauO9/ZSwsMHDuT
lwNrP5Z8HEPgjnB6H5wNFMgF+kLPpTw8lP3jw/wAvuwf9HUyPseitWryBkgHg3lP
7PaIJhxaj/JO+wWe1h4nE1bUszUbto1o5nNGyGM9+8EqeqtigpYRHC/SfYjUR6+K
52adRtyVBUMmfbyz7TUnt6NVWeqkYw48bHlhiPDYavYfo5RTqCnKVEuT2rtiL43w
PkdMCX3tVkcxOcq0UyJfqf1qdM5GNiFOc/Zoe0Ln+yNSOpfKGBTm6g==
=MEI0
-----END PGP SIGNATURE-----
Accepted:
horde3_3.0.4-4sarge6.diff.gz
to pool/main/h/horde3/horde3_3.0.4-4sarge6.diff.gz
horde3_3.0.4-4sarge6.dsc
to pool/main/h/horde3/horde3_3.0.4-4sarge6.dsc
horde3_3.0.4-4sarge6_all.deb
to pool/main/h/horde3/horde3_3.0.4-4sarge6_all.deb
Reply to: