Package: horde3 Version: 3.3.8+debian0-2 Severity: serious Tags: security Justification: security issue
Hello, As detailed on the debian security tracker[0] and reported on oss-sec[1] and assigned CVE 2014-1691, there is a remote code execution bug in horde affecting all versions from at least horde 3.1.x to 5.1.1. That includes squeeze... I've got a patch that applies to the horde3 package in squeeze that resolves this issue, please find it attached[2]... I've built and tested these packages on Squeeze in an active environment. I am not certain where this particular code is used, so I wasn't sure if I was able to test exactly that code path. If you would like, I can provide a package for squeeze for a DSA. Micah 0. https://security-tracker.debian.org/tracker/CVE-2014-1691 1. http://seclists.org/oss-sec/2014/q1/153 2. https://gist.github.com/pietro/8712454/raw/b03bc5ecb7ec1f1f778b867ecd6d9d142d0ddaf7/gistfile1.diff -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages horde3 depends on: ii apache2 2.4.7-1 ii apache2-bin [httpd] 2.4.7-1 ii libapache2-mod-php5 5.5.8+dfsg-3 ii libjs-scriptaculous 1.9.0-2 ii php-log 1.12.7-1 ii php-mail 1.2.0-5 ii php-mail-mime 1.8.8-1 ii php5-gd 5.5.8+dfsg-3 ii php5-mcrypt 5.5.8+dfsg-3 Versions of packages horde3 recommends: pn fckeditor <none> ii locales 2.17-97 ii logrotate 3.8.7-1 pn php-date <none> ii php-db 1.7.14-2 pn php-file <none> ii php-mdb2 2.5.0b5-1 pn php-mdb2-driver-mysql | php-mdb2-driver-pgsql | php-mdb2-driv <none> pn php-services-weather <none> ii php5-cli 5.5.8+dfsg-3 pn php5-mysql | php5-pgsql | php5-ldap <none> pn tinymce2 | tinymce <none> Versions of packages horde3 suggests: pn chora2 <none> pn enscript <none> ii gettext 0.18.3.2-1 pn gollem <none> pn imp4 <none> pn kronolith2 <none> ii libgeoip1 1.6.0-1 pn libwpd-tools <none> pn mnemo2 <none> pn php-net-imap <none> pn php5-auth-pam <none> ii php5-common [php5-mhash] 5.5.8+dfsg-3 pn ppthtml <none> pn rpm <none> pn source-highlight <none> pn turba2 <none> pn unrtf <none> pn webcpp <none> pn wv <none> pn xlhtml <none> -- Configuration Files: /etc/horde/horde3/.htaccess [Errno 13] Permission denied: u'/etc/horde/horde3/.htaccess' /etc/horde/horde3/conf.php [Errno 13] Permission denied: u'/etc/horde/horde3/conf.php' /etc/horde/horde3/conf.xml [Errno 13] Permission denied: u'/etc/horde/horde3/conf.xml' /etc/horde/horde3/hooks.php [Errno 13] Permission denied: u'/etc/horde/horde3/hooks.php' /etc/horde/horde3/mime_drivers.php [Errno 13] Permission denied: u'/etc/horde/horde3/mime_drivers.php' /etc/horde/horde3/motd.php [Errno 13] Permission denied: u'/etc/horde/horde3/motd.php' /etc/horde/horde3/nls.php [Errno 13] Permission denied: u'/etc/horde/horde3/nls.php' /etc/horde/horde3/prefs.php [Errno 13] Permission denied: u'/etc/horde/horde3/prefs.php' /etc/horde/horde3/registry.d/README [Errno 13] Permission denied: u'/etc/horde/horde3/registry.d/README' /etc/horde/horde3/registry.php [Errno 13] Permission denied: u'/etc/horde/horde3/registry.php' -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
