Articles / Debian: New horde3 packages…

Debian: New horde3 packages fix cross-site scripting

Several vulnerabilities have been found in horde3, the horde web application framework. It has been discovered that horde3 is prone to cross-site scripting attacks via crafted number preferences or inline MIME text parts when using text/plain as MIME type. It has been discovered that the horde3 administration interface is prone to cross-site scripting attacks due to the use of the PHP_SELF variable. It has been discovered that horde3 is prone to several cross-site scripting attacks via crafted data:text/html values in HTML messages. Updated packages are available from security.debian.org.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1966-1                  security@debian.org
http://www.debian.org/security/                      Steffen Joeris
January 07, 2010                   http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : horde3
Vulnerability  : insufficient input sanitising
Problem type   : remote
Debian-specific: no
CVE Ids        : CVE-2009-3237 CVE-2009-3701 CVE-2009-4363

Several vulnerabilities have been found in horde3, the horde web application
framework. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2009-3237

It has been discovered that horde3 is prone to cross-site scripting
attacks via crafted number preferences or inline MIME text parts when
using text/plain as MIME type.
For lenny this issue was already fixed, but as an additional security
precaution, the display of inline text was disabled in the configuration
file.

CVE-2009-3701

It has been discovered that the horde3 administration interface is prone
to cross-site scripting attacks due to the use of the PHP_SELF variable.
This issue can only be exploited by authenticated administrators.

CVE-2009-4363

It has been discovered that horde3 is prone to several cross-site
scripting attacks via crafted data:text/html values in HTML messages.


For the stable distribution (lenny), these problems have been fixed in
version 3.2.2+debian0-2+lenny2.

For the oldstable distribution (etch), these problems have been fixed in
version 3.1.3-4etch7.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 3.3.6+debian0-1.


We recommend that you upgrade your horde3 packages.


Upgrade instructions
- --------------------

wget url
       will fetch the file for you
dpkg -i file.deb
       will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
       will update the internal database
apt-get upgrade
       will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7.dsc
   Size/MD5 checksum:      691 48b9e415b5f6ab912615d4da1fdbf972
 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7.diff.gz
   Size/MD5 checksum:    17280 15471b64c8321f477800da4cfe3ff8e4
 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3.orig.tar.gz
   Size/MD5 checksum:  5232958 fbc56c608ac81474b846b1b4b7bb5ee7

Architecture independent packages:

 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7_all.deb
   Size/MD5 checksum:  5282070 b0788ebca983b9059a7fa05ada2de4cb


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2.dsc
   Size/MD5 checksum:     1389 c7d03777a3a09845206364f689752f30
 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2.diff.gz
   Size/MD5 checksum:    27993 866df86724501fbd550d5e164e4cdd3c
 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0.orig.tar.gz
   Size/MD5 checksum:  7180761 fb22a594bbdad07a0fbeef035a6d2f39

Architecture independent packages:

 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2_all.deb
   Size/MD5 checksum:  7240984 9298abd370d67b6a4861f015e330d1c5


 These files will probably be moved into the stable distribution on
 its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktFssAACgkQ62zWxYk/rQf9kACgmyXz0l/5q9TZiiafcbmrEWqf
x/8An3Daz3amIFFmj0uGbiQ+g4CtZw9w
=4/Rk
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.