RE: [SECURITY] [DSA 1033-1] New horde3 packages fix several vulnerabilities
Fix mal wieder dein horde!
#-----Original Message-----
#From: Moritz Muehlenhoff [mailto:jmm@debian.org]
#Sent: Mittwoch, 12. April 2006 21:04
#To: debian-security-announce@lists.debian.org
#Subject: [SECURITY] [DSA 1033-1] New horde3 packages fix
#several vulnerabilities
#
#-----BEGIN PGP SIGNED MESSAGE-----
#Hash: SHA1
#
#-
#---------------------------------------------------------------
#-----------
#Debian Security Advisory DSA 1033-1
#security@debian.org
#http://www.debian.org/security/ Moritz
#Muehlenhoff
#April 12th, 2006
#http://www.debian.org/security/faq
#-
#---------------------------------------------------------------
#-----------
#
#Package : horde3
#Vulnerability : several
#Problem-Type : remote
#Debian-specific: no
#CVE ID : CVE-2005-4190 CVE-2006-1260 CVE-2006-1491
#Debian Bug : 361967
#
#Several remote vulnerabilities have been discovered in the
#Horde web application framework, which may lead to the
#execution of arbitrary web script code. The Common
#Vulnerabilities and Exposures project identifies the following
#problems:
#
#CVE-2005-4190
#
# Several Cross-Site-Scripting vulnerabilities have been
#discovered in
# the "share edit window".
#
#CVE-2006-1260
#
# Null characters in the URL parameter bypass a sanity check, which
# allowed remote attackers to read arbitrary files, which allowed
# information disclosure.
#
#CVE-2006-1491
#
# User input in the help viewer was passed unsanitised to the eval()
# function, which allowed injection of arbitrary web code.
#
#
#The old stable distribution (woody) doesn't contain horde3 packages.
#
#For the stable distribution (sarge) these problems have been
#fixed in version 3.0.4-4sarge3.
#
#For the unstable distribution (sid) these problems have been
#fixed in version 3.1.1-1.
#
#We recommend that you upgrade your horde3 package.
#
#
#Upgrade Instructions
#- --------------------
#
#wget url
# will fetch the file for you
#dpkg -i file.deb
# will install the referenced file.
#
#If you are using the apt-get package manager, use the line for
#sources.list as given below:
#
#apt-get update
# will update the internal database apt-get upgrade
# will install corrected packages
#
#You may use an automated update by adding the resources from
#the footer to the proper configuration.
#
#
#Debian GNU/Linux 3.1 alias sarge
#- --------------------------------
#
# Source archives:
#
#
#http://security.debian.org/pool/updates/main/h/horde3/horde3_3.
#0.4-4sarge3.dsc
# Size/MD5 checksum: 628 7b66ee691ce42e8a50a072f82667be0b
#
#http://security.debian.org/pool/updates/main/h/horde3/horde3_3.
#0.4-4sarge3.diff.gz
# Size/MD5 checksum: 11630 20195835db40066033ddb80df5658740
#
#http://security.debian.org/pool/updates/main/h/horde3/horde3_3.
#0.4.orig.tar.gz
# Size/MD5 checksum: 3378143 e2221d409ba1c8841ce4ecee981d7b61
#
# Architecture independent components:
#
#
#http://security.debian.org/pool/updates/main/h/horde3/horde3_3.
#0.4-4sarge3_all.deb
# Size/MD5 checksum: 3436640 eadf553e1f8d9117155dbb09fe1dec34
#
#
# These files will probably be moved into the stable distribution on
# its next update.
#
#-
#---------------------------------------------------------------
#------------------
#For apt-get: deb http://security.debian.org/ stable/updates
#main For dpkg-ftp: ftp://security.debian.org/debian-security
#dists/stable/updates/main Mailing list:
#debian-security-announce@lists.debian.org
#Package info: `apt-cache show <pkg>' and
#http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE-----
#Version: GnuPG v1.4.3 (GNU/Linux)
#
#iD8DBQFEPU6ZXm3vHE4uyloRAtD0AJ0QNX1N8OMH/VeM89Fbctcrg2JPJwCbB2NQ
#xNDhfF7lAgT1QSkbI5xi8U4=
#=Jvsc
#-----END PGP SIGNATURE-----
#
#
#--
#To UNSUBSCRIBE, email to
#debian-security-announce-REQUEST@lists.debian.org
#with a subject of "unsubscribe". Trouble? Contact
#listmaster@lists.debian.org
#
Reply to: