1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 1966-1] New horde3 packages fix cross-site scripting

    From Steffen Joeris@1:229/2 to All on Thu Jan 7 11:40:03 2010
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------ Debian Security Advisory DSA-1966-1 [email protected] http://www.debian.org/security/ Steffen Joeris
    January 07, 2010 http://www.debian.org/security/faq
    - ------------------------------------------------------------------------

    Package : horde3
    Vulnerability : insufficient input sanitising
    Problem type : remote
    Debian-specific: no
    CVE Ids : CVE-2009-3237 CVE-2009-3701 CVE-2009-4363

    Several vulnerabilities have been found in horde3, the horde web application framework. The Common Vulnerabilities and Exposures project identifies
    the following problems:

    CVE-2009-3237

    It has been discovered that horde3 is prone to cross-site scripting
    attacks via crafted number preferences or inline MIME text parts when
    using text/plain as MIME type.
    For lenny this issue was already fixed, but as an additional security precaution, the display of inline text was disabled in the configuration
    file.

    CVE-2009-3701

    It has been discovered that the horde3 administration interface is prone
    to cross-site scripting attacks due to the use of the PHP_SELF variable.
    This issue can only be exploited by authenticated administrators.

    CVE-2009-4363

    It has been discovered that horde3 is prone to several cross-site
    scripting attacks via crafted data:text/html values in HTML messages.


    For the stable distribution (lenny), these problems have been fixed in
    version 3.2.2+debian0-2+lenny2.

    For the oldstable distribution (etch), these problems have been fixed in version 3.1.3-4etch7.

    For the testing distribution (squeeze) and the unstable distribution
    (sid), these problems have been fixed in version 3.3.6+debian0-1.


    We recommend that you upgrade your horde3 packages.


    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch
    - -------------------------------

    Debian (oldstable)
    - ------------------

    Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

    Source archives:

    http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7.dsc
    Size/MD5 checksum: 691 48b9e415b5f6ab912615d4da1fdbf972
    http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7.diff.gz
    Size/MD5 checksum: 17280 15471b64c8321f477800da4cfe3ff8e4
    http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3.orig.tar.gz
    Size/MD5 checksum: 5232958 fbc56c608ac81474b846b1b4b7bb5ee7

    Architecture independent packages:

    http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7_all.deb
    Size/MD5 checksum: 5282070 b0788ebca983b9059a7fa05ada2de4cb


    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------

    Debian (stable)
    - ---------------

    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

    Source archives:

    http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2.dsc
    Size/MD5 checksum: 1389 c7d03777a3a09845206364f689752f30
    http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2.diff.gz
    Size/MD5 checksum: 27993 866df86724501fbd550d5e164e4cdd3c
    http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0.orig.tar.gz
    Size/MD5 checksum: 7180761 fb22a594bbdad07a0fbeef035a6d2f39

    Architecture independent packages:

    http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2_all.deb
    Size/MD5 checksum: 7240984 9298abd370d67b6a4861f015e330d1c5


    These files will probably be moved into the stable distribution on
    its next update.

    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: [email protected]
    Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)

    iEYEARECAAYFAktFssAACgkQ62zWxYk/rQf9kACgmyXz0l/5q9TZiiafcbmrEWqf x/8An3Daz3amIFFmj0uGbiQ+g4CtZw9w
    =4/Rk
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)