lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri Jun 9 18:38:05 2006 From: cardosolistas at contraditorium.com (Cardoso) Subject: Antw: [SECURITY] [DSA 1034-1] New horde2 packages fixseveral vulnerabilities Yes, he did. Happens all the time, there's no such thing as a "list of seasoned professionals, that know better and don't act like newbies". I wonder how much of a daily mail traffic is made of autoresponders and whitelist-challenge messages. On Fri, 09 Jun 2006 13:37:18 -0400 neil davis <rg.viza@...il.com> wrote: nd> No he didn't. Someone please tell me he didn't... I guess we'll be nd> seeing Rocco's out of office message for a while... nd> nd> On Fri, 2006-04-14 at 16:46 +0200, Rocco Maiullari wrote: nd> > Guten Tag ! nd> > nd> > Leider kann ich Ihre e-mail nicht sofort beantworten, da ich mich bis einschl. 21.04.2006 nicht im Hause befinde. nd> > In dringenden F?llen wenden Sie sich bitte an meinen Kollegen nd> > nd> > Timo Dahlhoff nd> > Tel. : 02506 / 922 - 5266 nd> > e-mail : timo.dahlhoff@...nehouse.de nd> > nd> > nd> > Rocco Maiullari nd> > Webmaster nd> > nd> > The Phone House Telecom GmbH nd> > M?nsterstr. 109 nd> > 48155 M?nster nd> > nd> > Fon: +49 (0) 2506 - 922 5256 nd> > Fax: +49 (0) 2506 - 922 1292 nd> > E-Mail: rocco.maiullari@...nehouse.de nd> > http://www.phonehouse.de nd> > nd> > Senken Sie Ihre Telefonrechnung - mit TalkTalk, unserem neuen Festnetzangebot! Mehr Infos unter: www.talktalk.de nd> > nd> > >>> full-disclosure 04/14/06 16:42 >>> nd> > nd> > -----BEGIN PGP SIGNED MESSAGE----- nd> > Hash: SHA1 nd> > nd> > - -------------------------------------------------------------------------- nd> > Debian Security Advisory DSA 1034-1 security@...ian.org nd> > http://www.debian.org/security/ Moritz Muehlenhoff nd> > April 14th, 2006 http://www.debian.org/security/faq nd> > - -------------------------------------------------------------------------- nd> > nd> > Package : horde2 nd> > Vulnerability : several nd> > Problem-Type : remote nd> > Debian-specific: no nd> > CVE ID : CVE-2006-1260 CVE-2006-1491 nd> > nd> > Several remote vulnerabilities have been discovered in the Horde web nd> > application framework, which may lead to the execution of arbitrary nd> > web script code. The Common Vulnerabilities and Exposures project nd> > identifies the following problems: nd> > nd> > CVE-2006-1260 nd> > nd> > Null characters in the URL parameter bypass a sanity check, which nd> > allowed remote attackers to read arbitrary files, which allowed nd> > information disclosure. nd> > nd> > CVE-2006-1491 nd> > nd> > User input in the help viewer was passed unsanitised to the eval() nd> > function, which allowed injection of arbitrary web code. nd> > nd> > nd> > The old stable distribution (woody) doesn't contain horde2 packages. nd> > nd> > For the stable distribution (sarge) these problems have been fixed in nd> > version 2.2.8-1sarge2. nd> > nd> > The unstable distribution (sid) does no longer contain horde2 packages. nd> > nd> > We recommend that you upgrade your horde2 package. nd> > nd> > nd> > Upgrade Instructions nd> > - -------------------- nd> > nd> > wget url nd> > will fetch the file for you nd> > dpkg -i file.deb nd> > will install the referenced file. nd> > nd> > If you are using the apt-get package manager, use the line for nd> > sources.list as given below: nd> > nd> > apt-get update nd> > will update the internal database nd> > apt-get upgrade nd> > will install corrected packages nd> > nd> > You may use an automated update by adding the resources from the nd> > footer to the proper configuration. nd> > nd> > nd> > Debian GNU/Linux 3.1 alias sarge nd> > - -------------------------------- nd> > nd> > Source archives: nd> > nd> > http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge2.dsc nd> > Size/MD5 checksum: 575 acf3f1924f04e2faddfd06ba9b01820e nd> > http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge2.diff.gz nd> > Size/MD5 checksum: 39504 fb338c016b70e69fa4b867fa116b86dc nd> > http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8.orig.tar.gz nd> > Size/MD5 checksum: 683005 89961af4e4488a908147d7b3a0dc3b44 nd> > nd> > Architecture independent components: nd> > nd> > http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge2_all.deb nd> > Size/MD5 checksum: 721398 35fa1bf8bf8b4f2be1076501b984367a nd> > nd> > nd> > These files will probably be moved into the stable distribution on nd> > its next update. nd> > nd> > - --------------------------------------------------------------------------------- nd> > For apt-get: deb http://security.debian.org/ stable/updates main nd> > For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main nd> > Mailing list: debian-security-announce@...ts.debian.org nd> > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> nd> > -----BEGIN PGP SIGNATURE----- nd> > Version: GnuPG v1.4.3 (GNU/Linux) nd> > nd> > iD8DBQFEP7SJXm3vHE4uyloRAsVVAJ4n9UoO57tJYCw1JePujnjy90XFvACg3DLn nd> > nrfwvObZjSThW+pXcD8NI38= nd> > =BIdm nd> > -----END PGP SIGNATURE----- nd> > nd> > _______________________________________________ nd> > Full-Disclosure - We believe in it. nd> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html nd> > Hosted and sponsored by Secunia - http://secunia.com/ nd> > nd> > _______________________________________________ nd> > Full-Disclosure - We believe in it. nd> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html nd> > Hosted and sponsored by Secunia - http://secunia.com/ nd> nd> _______________________________________________ nd> Full-Disclosure - We believe in it. nd> Charter: http://lists.grok.org.uk/full-disclosure-charter.html nd> Hosted and sponsored by Secunia - http://secunia.com/ nd> Allgemeinen Anschulterlaubnis Cardoso <cardoso@...ox.com> - SkypeIn: (11) 3711-2466 / (41) 3941-5299 vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com
Powered by blists - more mailing lists