lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri Jun 9 18:28:43 2006 From: rg.viza at gmail.com (neil davis) Subject: Antw: [SECURITY] [DSA 1034-1] New horde2 packages fixseveral vulnerabilities No he didn't. Someone please tell me he didn't... I guess we'll be seeing Rocco's out of office message for a while... On Fri, 2006-04-14 at 16:46 +0200, Rocco Maiullari wrote: > Guten Tag ! > > Leider kann ich Ihre e-mail nicht sofort beantworten, da ich mich bis einschl. 21.04.2006 nicht im Hause befinde. > In dringenden F?llen wenden Sie sich bitte an meinen Kollegen > > Timo Dahlhoff > Tel. : 02506 / 922 - 5266 > e-mail : timo.dahlhoff@...nehouse.de > > > Rocco Maiullari > Webmaster > > The Phone House Telecom GmbH > M?nsterstr. 109 > 48155 M?nster > > Fon: +49 (0) 2506 - 922 5256 > Fax: +49 (0) 2506 - 922 1292 > E-Mail: rocco.maiullari@...nehouse.de > http://www.phonehouse.de > > Senken Sie Ihre Telefonrechnung - mit TalkTalk, unserem neuen Festnetzangebot! Mehr Infos unter: www.talktalk.de > > >>> full-disclosure 04/14/06 16:42 >>> > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - -------------------------------------------------------------------------- > Debian Security Advisory DSA 1034-1 security@...ian.org > http://www.debian.org/security/ Moritz Muehlenhoff > April 14th, 2006 http://www.debian.org/security/faq > - -------------------------------------------------------------------------- > > Package : horde2 > Vulnerability : several > Problem-Type : remote > Debian-specific: no > CVE ID : CVE-2006-1260 CVE-2006-1491 > > Several remote vulnerabilities have been discovered in the Horde web > application framework, which may lead to the execution of arbitrary > web script code. The Common Vulnerabilities and Exposures project > identifies the following problems: > > CVE-2006-1260 > > Null characters in the URL parameter bypass a sanity check, which > allowed remote attackers to read arbitrary files, which allowed > information disclosure. > > CVE-2006-1491 > > User input in the help viewer was passed unsanitised to the eval() > function, which allowed injection of arbitrary web code. > > > The old stable distribution (woody) doesn't contain horde2 packages. > > For the stable distribution (sarge) these problems have been fixed in > version 2.2.8-1sarge2. > > The unstable distribution (sid) does no longer contain horde2 packages. > > We recommend that you upgrade your horde2 package. > > > Upgrade Instructions > - -------------------- > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 3.1 alias sarge > - -------------------------------- > > Source archives: > > http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge2.dsc > Size/MD5 checksum: 575 acf3f1924f04e2faddfd06ba9b01820e > http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge2.diff.gz > Size/MD5 checksum: 39504 fb338c016b70e69fa4b867fa116b86dc > http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8.orig.tar.gz > Size/MD5 checksum: 683005 89961af4e4488a908147d7b3a0dc3b44 > > Architecture independent components: > > http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge2_all.deb > Size/MD5 checksum: 721398 35fa1bf8bf8b4f2be1076501b984367a > > > These files will probably be moved into the stable distribution on > its next update. > > - --------------------------------------------------------------------------------- > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main > Mailing list: debian-security-announce@...ts.debian.org > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.3 (GNU/Linux) > > iD8DBQFEP7SJXm3vHE4uyloRAsVVAJ4n9UoO57tJYCw1JePujnjy90XFvACg3DLn > nrfwvObZjSThW+pXcD8NI38= > =BIdm > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists