Debian: DSA-1966-1: New horde3 packages fix cross-site scripting


- ------------------------------------------------------------------------
Debian Security Advisory DSA-1966-1                  security@debian.org
http://www.debian.org/security/                      Steffen Joeris
January 07, 2010                   http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : horde3
Vulnerability  : insufficient input sanitising
Problem type   : remote
Debian-specific: no
CVE Ids        : CVE-2009-3237 CVE-2009-3701 CVE-2009-4363

Several vulnerabilities have been found in horde3, the horde web application
framework. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2009-3237

It has been discovered that horde3 is prone to cross-site scripting
attacks via crafted number preferences or inline MIME text parts when
using text/plain as MIME type.
For lenny this issue was already fixed, but as an additional security
precaution, the display of inline text was disabled in the configuration
file.

CVE-2009-3701

It has been discovered that the horde3 administration interface is prone
to cross-site scripting attacks due to the use of the PHP_SELF variable.
This issue can only be exploited by authenticated administrators.

CVE-2009-4363

It has been discovered that horde3 is prone to several cross-site
scripting attacks via crafted data:text/html values in HTML messages.


For the stable distribution (lenny), these problems have been fixed in
version 3.2.2+debian0-2+lenny2.

For the oldstable distribution (etch), these problems have been fixed in
version 3.1.3-4etch7.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 3.3.6+debian0-1.


We recommend that you upgrade your horde3 packages.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

      Size/MD5 checksum:      691 48b9e415b5f6ab912615d4da1fdbf972
      Size/MD5 checksum:    17280 15471b64c8321f477800da4cfe3ff8e4
      Size/MD5 checksum:  5232958 fbc56c608ac81474b846b1b4b7bb5ee7

Architecture independent packages:

      Size/MD5 checksum:  5282070 b0788ebca983b9059a7fa05ada2de4cb


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

      Size/MD5 checksum:     1389 c7d03777a3a09845206364f689752f30
      Size/MD5 checksum:    27993 866df86724501fbd550d5e164e4cdd3c
      Size/MD5 checksum:  7180761 fb22a594bbdad07a0fbeef035a6d2f39

Architecture independent packages:

      Size/MD5 checksum:  7240984 9298abd370d67b6a4861f015e330d1c5


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp:  dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
Debian: DSA-1966-1: New horde3 packages fix cross-site scripting

Summary

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By
