From 4f2d7949f03e1c198bc888f2d05f421d35c57e21 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Mon, 9 Oct 2017 18:53:29 +0100 Subject: reinit the tree, so we can have metadata --- metadata/glsa/glsa-200805-01.xml | 128 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 128 insertions(+) create mode 100644 metadata/glsa/glsa-200805-01.xml (limited to 'metadata/glsa/glsa-200805-01.xml') diff --git a/metadata/glsa/glsa-200805-01.xml b/metadata/glsa/glsa-200805-01.xml new file mode 100644 index 000000000000..c5da8ee8a3f5 --- /dev/null +++ b/metadata/glsa/glsa-200805-01.xml @@ -0,0 +1,128 @@ + + + + Horde Application Framework: Multiple vulnerabilities + + Multiple vulnerabilities in the Horde Application Framework may lead to the + execution of arbitrary files, information disclosure, and allow a remote + attacker to bypass security restrictions. + + horde + 2008-05-05 + 2008-05-05: 01 + 212635 + 213493 + remote + + + 3.1.7 + 3.1.7 + + + 1.0.5 + 1.0.5 + + + 2.1.7 + 2.1.7 + + + 2.1.2 + 2.1.2 + + + 2.1.4 + 2.1.4 + + + 1.0.6 + 1.0.6 + + + +

+ The Horde Application Framework is a general-purpose web application + framework written in PHP, providing classes for handling preferences, + compression, browser detection, connection tracking, MIME and more. +

+ + +

+ Multiple vulnerabilities have been reported in the Horde Application + Framework: +

+
    +
  • David Collins, Patrick Pelanne and the + HostGator.com LLC support team discovered that the theme preference + page does not sanitize POST variables for several options, allowing the + insertion of NULL bytes and ".." sequences (CVE-2008-1284).
    • +
  • An + error exists in the Horde API allowing users to bypass security + restrictions.
    • +
+ + +

+ The first vulnerability can be exploited by a remote attacker to read + arbitrary files and by remote authenticated attackers to execute + arbitrary files. The second vulnerability can be exploited by + authenticated remote attackers to perform restricted operations. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Horde Application Framework users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-3.1.7" +

+ All horde-groupware users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-groupware-1.0.5" +

+ All horde-kronolith users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-kronolith-2.1.7" +

+ All horde-mnemo users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-mnemo-2.1.2" +

+ All horde-nag users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-nag-2.1.4" +

+ All horde-webmail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-webmail-1.0.6" + + + CVE-2008-1284 + + + keytoaster + + + rbu + + + mfleming + + -- cgit v1.2.3