Back to horde3 PTS page

Accepted horde3 3.0.4-4sarge6 (source all)

To: debian-changes@lists.debian.org
Subject: Accepted horde3 3.0.4-4sarge6 (source all)
From: Thijs Kinkhorst <thijs@debian.org>
Date: Mon, 17 Dec 2007 19:52:41 +0000
Message-id: <E1J4M13-00012a-Tq@ries.debian.org>
Sender: Archive Administrator <dak@ftp-master.debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri,  9 Nov 2007 22:25:26 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.0.4-4sarge6
Distribution: oldstable-security
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 horde3     - horde web application framework
Closes: 378281 383416
Changes: 
 horde3 (3.0.4-4sarge6) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the security team.
   * Argument injection vulnerability in the cleanup cron script in Horde
     Project Horde and IMP before Horde Application Framework 3.1.4 allows
     local users to delete arbitrary files and possibly gain privileges via
     multiple space-delimited pathnames.
     (CVE-2007-1474)
   * services/go.php in Horde Application Framework 3.0.0 through 3.0.10 and
     3.1.0 through 3.1.1 does not properly restrict its image proxy capability,
     which allows remote attackers to perform "Web tunneling" attacks and use
     the server as a proxy via (1) http, (2) https, and (3) ftp URL in the url
     parameter, which is requested from the server.
     (CVE-2006-3549)
   * Multiple cross-site scripting (XSS) vulnerabilities in Horde Application
     Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 allow remote
     attackers to inject arbitrary web script or HTML via a (1) javascript URI
     or an external (2) http, (3) https, or (4) ftp URI in the url parameter in
     services/go.php (aka the dereferrer), (5) a javascript URI in the module
     parameter in services/help (aka the help viewer), and (6) the name
     parameter in services/problem.php (aka the problem reporting screen).
     (CVE-2006-3548)
   * index.php in Horde Application Framework before 3.1.2 allows remote
     attackers to include web pages from other sites, which could be useful for
     phishing attacks, via a URL in the url parameter, aka "cross-site
     referencing." NOTE: some sources have referred to this issue as XSS, but
     it is different than classic XSS.
     (CVE-2006-4256)
   * Closes: 383416, 378281
Files: 
 a829a3791ed40777b0a4995be6727f13 920 web optional horde3_3.0.4-4sarge6.dsc
 ab0dc18c4744b21919c154ac81600ad7 13978 web optional horde3_3.0.4-4sarge6.diff.gz
 f2cd9a0c7cb7e800d357d206d9f19841 3437942 web optional horde3_3.0.4-4sarge6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBRzTRBWz0hbPcukPfAQKmSgf/VjlJap9ERu4xr57MnEUOF+TyCoxJuGFH
EEG0tUG8uGA9bz9wU0r1B2qdX6oSXl2DNhQMFYurF1/EXjcxJlauO9/ZSwsMHDuT
lwNrP5Z8HEPgjnB6H5wNFMgF+kLPpTw8lP3jw/wAvuwf9HUyPseitWryBkgHg3lP
7PaIJhxaj/JO+wWe1h4nE1bUszUbto1o5nNGyGM9+8EqeqtigpYRHC/SfYjUR6+K
52adRtyVBUMmfbyz7TUnt6NVWeqkYw48bHlhiPDYavYfo5RTqCnKVEuT2rtiL43w
PkdMCX3tVkcxOcq0UyJfqf1qdM5GNiFOc/Zoe0Ln+yNSOpfKGBTm6g==
=MEI0
-----END PGP SIGNATURE-----


Accepted:
horde3_3.0.4-4sarge6.diff.gz
  to pool/main/h/horde3/horde3_3.0.4-4sarge6.diff.gz
horde3_3.0.4-4sarge6.dsc
  to pool/main/h/horde3/horde3_3.0.4-4sarge6.dsc
horde3_3.0.4-4sarge6_all.deb
  to pool/main/h/horde3/horde3_3.0.4-4sarge6_all.deb