lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060609143453.152D.CARDOSOLISTAS@contraditorium.com>
Date: Fri Jun  9 18:38:05 2006
From: cardosolistas at contraditorium.com (Cardoso)
Subject: Antw: [SECURITY] [DSA 1034-1] New horde2
	packages fixseveral vulnerabilities


Yes, he did. Happens all the time, there's no such thing as a "list of
seasoned professionals, that know better and don't act like newbies". 

I wonder how much of a daily mail traffic is made of autoresponders and
whitelist-challenge messages. 




On Fri, 09 Jun 2006 13:37:18 -0400
neil davis <rg.viza@...il.com> wrote:

nd> No he didn't. Someone please tell me he didn't... I guess we'll be
nd> seeing Rocco's out of office message for a while...
nd> 
nd> On Fri, 2006-04-14 at 16:46 +0200, Rocco Maiullari wrote:
nd> > Guten Tag !
nd> > 
nd> > Leider kann ich Ihre e-mail nicht sofort beantworten, da ich mich bis einschl. 21.04.2006 nicht im Hause befinde.
nd> > In dringenden F?llen wenden Sie sich bitte an meinen Kollegen 
nd> > 
nd> > Timo Dahlhoff
nd> > Tel. : 02506 / 922 - 5266 
nd> > e-mail : timo.dahlhoff@...nehouse.de 
nd> > 
nd> > 
nd> > Rocco Maiullari
nd> > Webmaster
nd> > 
nd> > The Phone House Telecom GmbH
nd> > M?nsterstr. 109
nd> > 48155 M?nster
nd> > 
nd> > Fon: +49 (0) 2506 - 922 5256
nd> > Fax: +49 (0) 2506 - 922 1292 
nd> > E-Mail: rocco.maiullari@...nehouse.de
nd> > http://www.phonehouse.de
nd> > 
nd> > Senken Sie Ihre Telefonrechnung - mit TalkTalk, unserem neuen Festnetzangebot! Mehr Infos unter: www.talktalk.de 
nd> > 
nd> > >>> full-disclosure 04/14/06 16:42 >>>
nd> > 
nd> > -----BEGIN PGP SIGNED MESSAGE-----
nd> > Hash: SHA1
nd> > 
nd> > - --------------------------------------------------------------------------
nd> > Debian Security Advisory DSA 1034-1                    security@...ian.org
nd> > http://www.debian.org/security/                         Moritz Muehlenhoff
nd> > April 14th, 2006                        http://www.debian.org/security/faq
nd> > - --------------------------------------------------------------------------
nd> > 
nd> > Package        : horde2
nd> > Vulnerability  : several
nd> > Problem-Type   : remote
nd> > Debian-specific: no
nd> > CVE ID         : CVE-2006-1260 CVE-2006-1491
nd> > 
nd> > Several remote vulnerabilities have been discovered in the Horde web
nd> > application framework, which may lead to the execution of arbitrary 
nd> > web script code. The Common Vulnerabilities and Exposures project
nd> > identifies the following problems:
nd> > 
nd> > CVE-2006-1260
nd> > 
nd> >     Null characters in the URL parameter bypass a sanity check, which
nd> >     allowed remote attackers to read arbitrary files, which allowed
nd> >     information disclosure.
nd> > 
nd> > CVE-2006-1491
nd> > 
nd> >     User input in the help viewer was passed unsanitised to the eval()
nd> >     function, which allowed injection of arbitrary web code.    
nd> > 
nd> > 
nd> > The old stable distribution (woody) doesn't contain horde2 packages.
nd> > 
nd> > For the stable distribution (sarge) these problems have been fixed in
nd> > version 2.2.8-1sarge2.
nd> > 
nd> > The unstable distribution (sid) does no longer contain horde2 packages.
nd> > 
nd> > We recommend that you upgrade your horde2 package.
nd> > 
nd> > 
nd> > Upgrade Instructions
nd> > - --------------------
nd> > 
nd> > wget url
nd> >         will fetch the file for you
nd> > dpkg -i file.deb
nd> >         will install the referenced file.
nd> > 
nd> > If you are using the apt-get package manager, use the line for
nd> > sources.list as given below:
nd> > 
nd> > apt-get update
nd> >         will update the internal database
nd> > apt-get upgrade
nd> >         will install corrected packages
nd> > 
nd> > You may use an automated update by adding the resources from the
nd> > footer to the proper configuration.
nd> > 
nd> > 
nd> > Debian GNU/Linux 3.1 alias sarge
nd> > - --------------------------------
nd> > 
nd> >   Source archives:
nd> > 
nd> >     http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge2.dsc
nd> >       Size/MD5 checksum:      575 acf3f1924f04e2faddfd06ba9b01820e
nd> >     http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge2.diff.gz
nd> >       Size/MD5 checksum:    39504 fb338c016b70e69fa4b867fa116b86dc
nd> >     http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8.orig.tar.gz
nd> >       Size/MD5 checksum:   683005 89961af4e4488a908147d7b3a0dc3b44
nd> > 
nd> >   Architecture independent components:
nd> > 
nd> >     http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge2_all.deb
nd> >       Size/MD5 checksum:   721398 35fa1bf8bf8b4f2be1076501b984367a
nd> > 
nd> > 
nd> >   These files will probably be moved into the stable distribution on
nd> >   its next update.
nd> > 
nd> > - ---------------------------------------------------------------------------------
nd> > For apt-get: deb http://security.debian.org/ stable/updates main
nd> > For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
nd> > Mailing list: debian-security-announce@...ts.debian.org
nd> > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
nd> > -----BEGIN PGP SIGNATURE-----
nd> > Version: GnuPG v1.4.3 (GNU/Linux)
nd> > 
nd> > iD8DBQFEP7SJXm3vHE4uyloRAsVVAJ4n9UoO57tJYCw1JePujnjy90XFvACg3DLn
nd> > nrfwvObZjSThW+pXcD8NI38=
nd> > =BIdm
nd> > -----END PGP SIGNATURE-----
nd> > 
nd> > _______________________________________________
nd> > Full-Disclosure - We believe in it.
nd> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
nd> > Hosted and sponsored by Secunia - http://secunia.com/
nd> > 
nd> > _______________________________________________
nd> > Full-Disclosure - We believe in it.
nd> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
nd> > Hosted and sponsored by Secunia - http://secunia.com/
nd> 
nd> _______________________________________________
nd> Full-Disclosure - We believe in it.
nd> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
nd> Hosted and sponsored by Secunia - http://secunia.com/
nd> 

Allgemeinen Anschulterlaubnis
Cardoso <cardoso@...ox.com> - SkypeIn: (11) 3711-2466 / (41) 3941-5299
vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ