Hosting Provided By

[SECURITY] [DSA 1470-1] New horde3 packages fix denial of service

From: Moritz Muehlenhoff <jmm(at)debian.org>
Date: Sun Jan 20 2008 - 17:29:58 EST

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

------------------------------------------------------------------------ Debian Security Advisory DSA-1470-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff January 20, 2008 http://www.debian.org/security/faq
------------------------------------------------------------------------

Package        : horde3
Vulnerability  : missing input sanitising
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2007-6018

Ulf Harnhammer discovered that the HTML filter of the Horde web application framework performed insufficient input sanitising, which may lead to the deletion of emails if a user is tricked into viewing a malformed email inside the Imp client.

This update also provides backported bugfixes to the cross-site scripting filter and the user management API from the latest Horde release 3.1.6.

For the stable distribution (etch), this problem has been fixed in version 3.1.3-4etch2.

The old stable distribution (sarge) is not affected. An update to Etch is recommended, though.

We recommend that you upgrade your horde3 package.

Upgrade instructions

- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

Do you need help?

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian 4.0 (stable)

- -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch2.dsc
    Size/MD5 checksum:      682 65c2b4458281e2e4c844b7bd4af52ba3
  
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch2.diff.gz
    Size/MD5 checksum:    12893 db60e2c62f488824247429c35ace45fd
  
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3.orig.tar.gz
    Size/MD5 checksum:  5232958 fbc56c608ac81474b846b1b4b7bb5ee7

Architecture independent packages:

Do you need more help?

http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch2_all.deb Size/MD5 checksum: 5261396 e1cff2548fbd2f1984e2cf956ecd43f8

These files will probably be moved into the stable distribution on its next update.

--------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHk8smXm3vHE4uyloRAreOAKCU9Ume95wSCoHxgHbbsu1WkWJsIACgi65H pQbB9Qf5b3k9ErzaNxEXsCo=
=lrPc
-----END PGP SIGNATURE-----

-- 
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Sun Jan 20 17:33:22 2008

This message: [ Message body ]
Next message: Moritz Muehlenhoff: "[SECURITY] [DSA 1471-1] New libvorbis packages fix several vulnerabilities"
Previous message: Moritz Muehlenhoff: "[SECURITY] [DSA 1469-1] New flac packages fix arbitrary code execution"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:53:49 EDT