Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[ GLSA 200911-01 ] Horde: Multiple vulnerabilities
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Advocate
Advocate


Joined: 12 May 2004
Posts: 2663
PostPosted: Fri Nov 06, 2009 2:26 pm    Post subject: [ GLSA 200911-01 ] Horde: Multiple vulnerabilities Reply with quote
Gentoo Linux Security Advisory

Title: Horde: Multiple vulnerabilities (GLSA 200911-01)
Severity: normal
Exploitable: remote
Date: November 06, 2009
Bug(s): #285052
ID: 200911-01

Synopsis


Multiple vulnerabilities in the Horde Application Framework can allow for
arbitrary files to be overwritten and cross-site scripting attacks.


Background


Horde is a web application framework written in PHP.


Affected Packages

Package: www-apps/horde
Vulnerable: < 3.3.5
Unaffected: >= 3.3.5
Architectures: All supported architectures

Package: www-apps/horde-webmail
Vulnerable: < 1.2.4
Unaffected: >= 1.2.4
Architectures: All supported architectures

Package: www-apps/horde-groupware
Vulnerable: < 1.2.4
Unaffected: >= 1.2.4
Architectures: All supported architectures


Description


Multiple vulnerabilities have been discovered in Horde:
  • Stefan Esser of Sektion1 reported an error within the form library
    when handling image form fields (CVE-2009-3236).
  • Martin
    Geisler and David Wharton reported that an error exists in the MIME
    viewer library when viewing unknown text parts and the preferences
    system in services/prefs.php when handling number preferences
    (CVE-2009-3237).


Impact


A remote authenticated attacker could exploit these vulnerabilities to
overwrite arbitrary files on the server, provided that the user has
write permissions. A remote authenticated attacker could conduct
Cross-Site Scripting attacks.


Workaround


There is no known workaround at this time.


Resolution


All Horde users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/horde-3.3.5"

All Horde webmail users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/horde-webmail-1.2.4"

All Horde groupware users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/horde-groupware-1.2.4"


References

CVE-2009-3236
CVE-2009-3237

Last edited by GLSA on Sun Nov 22, 2009 4:29 am; edited 1 time in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy