"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1966-1 security@debian.org
http://www.debian.org/security/ Steffen Joeris
January 07, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : horde3
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Ids : CVE-2009-3237 CVE-2009-3701 CVE-2009-4363
Several vulnerabilities have been found in horde3, the horde web application
framework. The Common Vulnerabilities and Exposures project identifies
the following problems:
CVE-2009-3237
It has been discovered that horde3 is prone to cross-site scripting
attacks via crafted number preferences or inline MIME text parts when
using text/plain as MIME type.
For lenny this issue was already fixed, but as an additional security
precaution, the display of inline text was disabled in the configuration
file.
CVE-2009-3701
It has been discovered that the horde3 administration interface is prone
to cross-site scripting attacks due to the use of the PHP_SELF variable.
This issue can only be exploited by authenticated administrators.
CVE-2009-4363
It has been discovered that horde3 is prone to several cross-site
scripting attacks via crafted data:text/html values in HTML messages.
For the stable distribution (lenny), these problems have been fixed in
version 3.2.2+debian0-2+lenny2.
For the oldstable distribution (etch), these problems have been fixed in
version 3.1.3-4etch7.
For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 3.3.6+debian0-1.
We recommend that you upgrade your horde3 packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7.dsc
Size/MD5 checksum: 691 48b9e415b5f6ab912615d4da1fdbf972
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7.diff.gz
Size/MD5 checksum: 17280 15471b64c8321f477800da4cfe3ff8e4
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3.orig.tar.gz
Size/MD5 checksum: 5232958 fbc56c608ac81474b846b1b4b7bb5ee7
Architecture independent packages:
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7_all.deb
Size/MD5 checksum: 5282070 b0788ebca983b9059a7fa05ada2de4cb
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2.dsc
Size/MD5 checksum: 1389 c7d03777a3a09845206364f689752f30
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2.diff.gz
Size/MD5 checksum: 27993 866df86724501fbd550d5e164e4cdd3c
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0.orig.tar.gz
Size/MD5 checksum: 7180761 fb22a594bbdad07a0fbeef035a6d2f39
Architecture independent packages:
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2_all.deb
Size/MD5 checksum: 7240984 9298abd370d67b6a4861f015e330d1c5
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktFssAACgkQ62zWxYk/rQf9kACgmyXz0l/5q9TZiiafcbmrEWqf
x/8An3Daz3amIFFmj0uGbiQ+g4CtZw9w
=4/Rk
-----END PGP SIGNATURE-----
"
The Courteeners confirm new singleDSA 1944-1: New request-tracker packages fix session hijack vulnerability
This entry was posted
on 4:45 PM
.
Archives
-
▼
2010
(391)
-
▼
January
(47)
- USN-892-1: FUSE vulnerability
- DSA 1985-1: New sendmail packages fix SSL certific...
- DSA 1978-1: New phpgroupware packages fix several ...
- USN-890-4: PyXML vulnerabilities
- USN-890-3: Python 2.4 vulnerabilities
- DSA 1980-1: New ircd-hybrid/ircd-ratbox packages f...
- USN-890-1: Expat vulnerabilities
- RHSA-2010:0062-02 Moderate: bind security update
- RHSA-2010:0053-01 Important: kernel security and b...
- RHSA-2010:0061-02 Moderate: gzip security update
- DSA-1976-1: New dokuwiki packages fix several vuln...
- DSA-1975-1: Security Support for Debian 4.0 to be ...
- DSA 1974-1: New gzip packages fix arbitrary code e...
- DSA-1972-2: New audiofile packages fix buffer over...
- RHSA-2010:0054-01 Moderate: openssl security update
- RHSA-2010:0041-01 Important: kernel-rt security an...
- DSA-1972-1: New audiofile packages fix buffer over...
- USN-885-1: LibThai vulnerability
- GLSA 201001-06 aria2: Multiple vulnerabilities
- RHSA-2010:0046-01 Important: kernel security and b...
- USN-884-1: OpenSSL vulnerability
- USN-883-1: network-manager-applet vulnerabilities
- USN-886-1: Pidgin vulnerabilities
- DSA-1971-1: New libthai packages fix arbitrary cod...
- GLSA 201001-09 Ruby: Terminal Control Character I...
- RHSA-2010:0044-01 Important: pidgin security update
- RHSA-2010:0029-01 Critical: krb5 security update
- USN-885-1: Transmission vulnerabilities
- GLSA 201001-08 SquirrelMail: Multiple vulnerabili...
- RHSA-2010:0020-01 Important: kernel security update
- RHSA-2010:0038-01 Critical: acroread security update
- DSA-1969-1: New krb5 packages fix denial of service
- USN-878-1: Firefox 3.5 and Xulrunner 1.9.1 regression
- DSA 1968-1: New pdns-recursor packages fix potenti...
- RHSA-2010:0019-01 Important: kernel security update
- RHSA-2010:0018-01 Moderate: dbus security update
- USN-880-1: GIMP vulnerabilities
- USN-877-1: Firefox 3.0 and Xulrunner 1.9 regression
- DSA 1966-1: New horde3 packages fix cross-site scr...
- DSA-1965-1: New phpldapadmin packages fix remote f...
- GLSA 201001-03 PHP: Multiple vulnerabilities
- USN-879-1: Kerberos vulnerability
- RHSA-2010:0003-01 Moderate: gd security update
- RHSA-2010:0002-01 Moderate: PyXML security update
- GLSA 201001-01 NTP: Denial of Service
- GLSA 201001-02 Adobe Flash Player: Multiple vulne...
- DSA-1953-2: New expat packages fix regression
-
▼
January
(47)