DSA 1966-1: New horde3 packages fix cross-site scripting  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1966-1 security@debian.org
http://www.debian.org/security/ Steffen Joeris
January 07, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : horde3
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Ids : CVE-2009-3237 CVE-2009-3701 CVE-2009-4363

Several vulnerabilities have been found in horde3, the horde web application
framework. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2009-3237

It has been discovered that horde3 is prone to cross-site scripting
attacks via crafted number preferences or inline MIME text parts when
using text/plain as MIME type.
For lenny this issue was already fixed, but as an additional security
precaution, the display of inline text was disabled in the configuration
file.

CVE-2009-3701

It has been discovered that the horde3 administration interface is prone
to cross-site scripting attacks due to the use of the PHP_SELF variable.
This issue can only be exploited by authenticated administrators.

CVE-2009-4363

It has been discovered that horde3 is prone to several cross-site
scripting attacks via crafted data:text/html values in HTML messages.


For the stable distribution (lenny), these problems have been fixed in
version 3.2.2+debian0-2+lenny2.

For the oldstable distribution (etch), these problems have been fixed in
version 3.1.3-4etch7.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 3.3.6+debian0-1.


We recommend that you upgrade your horde3 packages.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7.dsc
Size/MD5 checksum: 691 48b9e415b5f6ab912615d4da1fdbf972
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7.diff.gz
Size/MD5 checksum: 17280 15471b64c8321f477800da4cfe3ff8e4
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3.orig.tar.gz
Size/MD5 checksum: 5232958 fbc56c608ac81474b846b1b4b7bb5ee7

Architecture independent packages:

http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7_all.deb
Size/MD5 checksum: 5282070 b0788ebca983b9059a7fa05ada2de4cb


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2.dsc
Size/MD5 checksum: 1389 c7d03777a3a09845206364f689752f30
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2.diff.gz
Size/MD5 checksum: 27993 866df86724501fbd550d5e164e4cdd3c
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0.orig.tar.gz
Size/MD5 checksum: 7180761 fb22a594bbdad07a0fbeef035a6d2f39

Architecture independent packages:

http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2_all.deb
Size/MD5 checksum: 7240984 9298abd370d67b6a4861f015e330d1c5


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktFssAACgkQ62zWxYk/rQf9kACgmyXz0l/5q9TZiiafcbmrEWqf
x/8An3Daz3amIFFmj0uGbiQ+g4CtZw9w
=4/Rk
-----END PGP SIGNATURE-----
"

The Courteeners confirm new singleDSA 1944-1: New request-tracker packages fix session hijack vulnerability

This entry was posted on 4:45 PM .