Accepted horde3 3.0.4-4sarge6 (source all)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 9 Nov 2007 22:25:26 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.0.4-4sarge6
Distribution: oldstable-security
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org> Changed-By: Thijs Kinkhorst <thijs@debian.org> Description:
 horde3 - horde web application framework Closes: 378281 383416
Changes:
 horde3 (3.0.4-4sarge6) oldstable-security; urgency=high  .

• Non-maintainer upload by the security team.
• Argument injection vulnerability in the cleanup cron script in Horde Project Horde and IMP before Horde Application Framework 3.1.4 allows local users to delete arbitrary files and possibly gain privileges via multiple space-delimited pathnames. (CVE-2007-1474)
• services/go.php in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 does not properly restrict its image proxy capability, which allows remote attackers to perform "Web tunneling" attacks and use the server as a proxy via (1) http, (2) https, and (3) ftp URL in the url parameter, which is requested from the server. (CVE-2006-3549)
• Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 allow remote attackers to inject arbitrary web script or HTML via a (1) javascript URI or an external (2) http, (3) https, or (4) ftp URI in the url parameter in services/go.php (aka the dereferrer), (5) a javascript URI in the module parameter in services/help (aka the help viewer), and (6) the name parameter in services/problem.php (aka the problem reporting screen). (CVE-2006-3548)
• index.php in Horde Application Framework before 3.1.2 allows remote attackers to include web pages from other sites, which could be useful for phishing attacks, via a URL in the url parameter, aka "cross-site referencing." NOTE: some sources have referred to this issue as XSS, but it is different than classic XSS. (CVE-2006-4256)
• Closes: 383416, 378281 Files: a829a3791ed40777b0a4995be6727f13 920 web optional horde3_3.0.4-4sarge6.dsc ab0dc18c4744b21919c154ac81600ad7 13978 web optional horde3_3.0.4-4sarge6.diff.gz f2cd9a0c7cb7e800d357d206d9f19841 3437942 web optional horde3_3.0.4-4sarge6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBRzTRBWz0hbPcukPfAQKmSgf/VjlJap9ERu4xr57MnEUOF+TyCoxJuGFH EEG0tUG8uGA9bz9wU0r1B2qdX6oSXl2DNhQMFYurF1/EXjcxJlauO9/ZSwsMHDuT lwNrP5Z8HEPgjnB6H5wNFMgF+kLPpTw8lP3jw/wAvuwf9HUyPseitWryBkgHg3lP 7PaIJhxaj/JO+wWe1h4nE1bUszUbto1o5nNGyGM9+8EqeqtigpYRHC/SfYjUR6+K 52adRtyVBUMmfbyz7TUnt6NVWeqkYw48bHlhiPDYavYfo5RTqCnKVEuT2rtiL43w PkdMCX3tVkcxOcq0UyJfqf1qdM5GNiFOc/Zoe0Ln+yNSOpfKGBTm6g== =MEI0
-----END PGP SIGNATURE----- Accepted:
horde3_3.0.4-4sarge6.diff.gz
  to pool/main/h/horde3/horde3_3.0.4-4sarge6.diff.gz horde3_3.0.4-4sarge6.dsc
  to pool/main/h/horde3/horde3_3.0.4-4sarge6.dsc horde3_3.0.4-4sarge6_all.deb
  to pool/main/h/horde3/horde3_3.0.4-4sarge6_all.deb

-- 
To UNSUBSCRIBE, email to debian-changes-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org