Debian Bug report logs - #361967
Horde3 Critical Vunerability

version graph

Package: horde3; Maintainer for horde3 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Pedro Müller <pedrom@secret.com.br>

Date: Tue, 11 Apr 2006 14:48:04 UTC

Severity: critical

Tags: etch, sarge, security

Found in version horde3/3.0.9-3

Done: Lionel Elie Mamane <lionel@mamane.lu>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#361967; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Pedro Müller <pedrom@secret.com.br>:
New Bug report received and forwarded. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Pedro Müller <pedrom@secret.com.br>
To: <submit@bugs.debian.org>
Subject: Horde3 Critical Vunerability
Date: Tue, 11 Apr 2006 10:59:57 -0300
[Message part 1 (text/plain, inline)]
Package: horde3
Version: 3.0.9-3
Severity: critical 

"Horde is prone to a remote PHP code-execution vulnerability. 

An attacker can exploit this issue to execute arbitrary malicious PHP code and in the context of the webserver process. This may help the attacker compromise the application and the underlying system; other attacks are also possible. 

Horde versions 3.0 up to 3.0.9 and 3.1.0 are vulnerable; other versions may also be affected."

See:
 http://www.securityfocus.com/bid/17292/info

Pedro Müller
Security Officer
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#361967; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Lionel Elie Mamane <lionel@mamane.lu>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 361967@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lionel@mamane.lu>
To: Pedro Müller <pedrom@ecad.org.br>
Cc: pkg-horde-hackers@lists.alioth.debian.org, security@debian.org, 361967@bugs.debian.org, secure-testing-team@lists.alioth.debian.org, control@bugs.debian.org
Subject: Horde3 Vulnerability: CVE-2006-1491 remote arbitrary command execution
Date: Tue, 11 Apr 2006 17:15:02 +0200
tags  361967 +etch sarge security
thanks

On Tue, Apr 11, 2006 at 10:46:07AM -0300, Pedro Müller wrote:

>       See this:
>         http://www.securityfocus.com/bid/17292/info

>         Please, fix this or update to 3.0.10.

An update has been submitted to the security team; I suppose they are
going to release a security advisory and put the said update on the
archive on security.debian.org anytime now.

If you wish to use the update we prepared before it is approved by the
security team, you can take it from
http://people.debian.org/~lmamane/horde/ . (That update is for Debian
stable 3.1 sarge. Debian unstable sid is already fixed. Debian testing
etch (the "beta version" of Debian 3.2) is going to get the update
automatically in a few days. If you are running Debian testing etch,
you can install the horde3 / imp4 / turba2 / ... packages from
unstable sid.

The "secure testing" team might want to consider pushing turba2 2.1-1
to etch prematurely, as it is blocking horde3 3.1.1-1 (the version
that fixes this) to migrate to testing.


> This is critical!

Yes, it is.

-- 
Lionel



Tags added: etch, sarge, security Request was from Lionel Elie Mamane <lionel@mamane.lu> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#361967; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #17 received at 361967@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Lionel Elie Mamane <lionel@mamane.lu>
Cc: Pedro Müller <pedrom@ecad.org.br>, pkg-horde-hackers@lists.alioth.debian.org, security@debian.org, 361967@bugs.debian.org, secure-testing-team@lists.alioth.debian.org, control@bugs.debian.org
Subject: Re: Horde3 Vulnerability: CVE-2006-1491 remote arbitrary command execution
Date: Wed, 12 Apr 2006 14:21:17 +0200
Lionel Elie Mamane wrote:
> tags  361967 +etch sarge security
> thanks
> 
> On Tue, Apr 11, 2006 at 10:46:07AM -0300, Pedro Müller wrote:
> 
> >       See this:
> >         http://www.securityfocus.com/bid/17292/info
> 
> >         Please, fix this or update to 3.0.10.
> 
> An update has been submitted to the security team; I suppose they are
> going to release a security advisory and put the said update on the
> archive on security.debian.org anytime now.

Umm, sorry, I was under the impression, that the update was still being
prepared. I'll check and upload tonight (European time).

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#361967; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to opal@debian.org:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #22 received at 361967@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 361967@bugs.debian.org
Subject: Re: [pkg-horde] Bug#361967: Horde3 Vulnerability: CVE-2006-1491 remote arbitrary command execution
Date: Thu, 13 Apr 2006 06:29:11 +0200
Hi

I saw this morning that the upload has been accepted into sarge.

Regards,

// Ola

On Wed, Apr 12, 2006 at 02:21:17PM +0200, Moritz Muehlenhoff wrote:
> Lionel Elie Mamane wrote:
> > tags  361967 +etch sarge security
> > thanks
> > 
> > On Tue, Apr 11, 2006 at 10:46:07AM -0300, Pedro Müller wrote:
> > 
> > >       See this:
> > >         http://www.securityfocus.com/bid/17292/info
> > 
> > >         Please, fix this or update to 3.0.10.
> > 
> > An update has been submitted to the security team; I suppose they are
> > going to release a security advisory and put the said update on the
> > archive on security.debian.org anytime now.
> 
> Umm, sorry, I was under the impression, that the update was still being
> prepared. I'll check and upload tonight (European time).
> 
> Cheers,
>         Moritz
> 
> 
> _______________________________________________
> pkg-horde-hackers mailing list
> pkg-horde-hackers@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-horde-hackers
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Annebergsslingan 37      \
|  opal@lysator.liu.se                 654 65 KARLSTAD          |
|  +46 (0)54-10 14 30                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------



Reply sent to Lionel Elie Mamane <lionel@mamane.lu>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Pedro Müller <pedrom@secret.com.br>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #27 received at 361967-done@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lionel@mamane.lu>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Pedro Müller <pedrom@ecad.org.br>, 361967-done@bugs.debian.org, security@debian.org
Subject: Re: [pkg-horde] Re: Horde3 Vulnerability: CVE-2006-1491 remote arbitrary command execution
Date: Thu, 13 Apr 2006 17:46:21 +0200
On Wed, Apr 12, 2006 at 02:21:17PM +0200, Moritz Muehlenhoff wrote:
> Lionel Elie Mamane wrote:
>> On Tue, Apr 11, 2006 at 10:46:07AM -0300, Pedro Müller wrote:

>>>       See this:
>>>         http://www.securityfocus.com/bid/17292/info

>> An update has been submitted to the security team; I suppose they
>> are going to release a security advisory and put the said update on
>> the archive on security.debian.org anytime now.

> Umm, sorry, I was under the impression, that the update was still being
> prepared.

Not for the horde3/horde2 packages themselves, but there are indeed
potentially open issues in horde suite applications:

  CVE-2005-4192 in mnemo in sarge?
  CVE-2005-4191 in nag in sarge?

(These are XSS attacks.)

> I'll check and upload tonight (European time).

Thanks, I've seen it is done now for horde3. And horde2? The answer to
Martin's point in
http://lists.alioth.debian.org/pipermail/pkg-horde-hackers/2006-March/000358.html
is: Don't run "make -f debian/rule clean", it is buggy and deletes too
much. If you just unpack the sources and build the package, it should
be OK.

-- 
Lionel



Message #28 received at 361967-done@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Lionel Elie Mamane <lionel@mamane.lu>
Cc: Pedro Müller <pedrom@ecad.org.br>, 361967-done@bugs.debian.org, team@security.debian.org
Subject: Re: [pkg-horde] Re: Horde3 Vulnerability: CVE-2006-1491 remote arbitrary command execution
Date: Fri, 14 Apr 2006 13:52:00 +0200
Lionel Elie Mamane wrote:
> > I'll check and upload tonight (European time).
> 
> Thanks, I've seen it is done now for horde3. And horde2? 

I'm aware, but I've been very busy with my thesis. I'll do it tonight.

Cheers,
        Moritz



Message #29 received at 361967-done@bugs.debian.org (full text, mbox):

From: Pedro Müller <pedrom@ecad.org.br>
To: "Lionel Elie Mamane" <lionel@mamane.lu>, "Moritz Muehlenhoff" <jmm@inutil.org>
Cc: <361967-done@bugs.debian.org>, <security@debian.org>
Subject: Re: [pkg-horde] Re: Horde3 Vulnerability: CVE-2006-1491 remote arbitrary command execution
Date: Mon, 17 Apr 2006 11:19:08 -0300
   Hi,
       Don?t have the fix yet for the testing/Etch version?
In the http://packages.debian.org the testing/Etch version is the 3.0.9-3. 
All versions before  3.0.10 have the bug.
One fast solution is migrate the unstable/sid version to the testing/Etch 
version.
 a.. stable (web): horde web application framework
 3.0.4-4sarge3: all
 3.0.4-4sarge2: all
 3.0.4-4: all
 b.. testing (web): horde web application framework
 3.0.9-3: all
 c.. unstable (web): horde web application framework
 3.1.1-1: all
Pedro Müller

----- Original Message ----- 
From: "Lionel Elie Mamane" <lionel@mamane.lu>
To: "Moritz Muehlenhoff" <jmm@inutil.org>
Cc: "Pedro Müller" <pedrom@ecad.org.br>; <361967-done@bugs.debian.org>; 
<security@debian.org>
Sent: Thursday, April 13, 2006 12:46 PM
Subject: Re: [pkg-horde] Re: Horde3 Vulnerability: CVE-2006-1491 remote 
arbitrary command execution


> On Wed, Apr 12, 2006 at 02:21:17PM +0200, Moritz Muehlenhoff wrote:
>> Lionel Elie Mamane wrote:
>>> On Tue, Apr 11, 2006 at 10:46:07AM -0300, Pedro Müller wrote:
>
>>>>       See this:
>>>>         http://www.securityfocus.com/bid/17292/info
>
>>> An update has been submitted to the security team; I suppose they
>>> are going to release a security advisory and put the said update on
>>> the archive on security.debian.org anytime now.
>
>> Umm, sorry, I was under the impression, that the update was still being
>> prepared.
>
> Not for the horde3/horde2 packages themselves, but there are indeed
> potentially open issues in horde suite applications:
>
>  CVE-2005-4192 in mnemo in sarge?
>  CVE-2005-4191 in nag in sarge?
>
> (These are XSS attacks.)
>
>> I'll check and upload tonight (European time).
>
> Thanks, I've seen it is done now for horde3. And horde2? The answer to
> Martin's point in
> http://lists.alioth.debian.org/pipermail/pkg-horde-hackers/2006-March/000358.html
> is: Don't run "make -f debian/rule clean", it is buggy and deletes too
> much. If you just unpack the sources and build the package, it should
> be OK.
>
> -- 
> Lionel
> 




Message #30 received at 361967-done@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lionel@mamane.lu>
To: Pedro Müller <pedrom@ecad.org.br>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 361967-done@bugs.debian.org, security@debian.org
Subject: Re: [pkg-horde] Re: Horde3 Vulnerability: CVE-2006-1491 remote arbitrary command execution
Date: Mon, 17 Apr 2006 21:02:12 +0200
On Mon, Apr 17, 2006 at 11:19:08AM -0300, Pedro Müller wrote:

>        Don?t have the fix yet for the testing/Etch version?

The fix is the upgrade to the version in sid. There is no plan to
package 3.0.10. 3.1.1-1 (fixed) is slated to enter etch this night.

-- 
Lionel



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 14:21:32 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 21:45:22 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.