GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Fri Nov 06, 2009 2:26 pm Post subject: [ GLSA 200911-01 ] Horde: Multiple vulnerabilities |
|
|
Gentoo Linux Security Advisory
Title: Horde: Multiple vulnerabilities (GLSA 200911-01)
Severity: normal
Exploitable: remote
Date: November 06, 2009
Bug(s): #285052
ID: 200911-01
Synopsis
Multiple vulnerabilities in the Horde Application Framework can allow for
arbitrary files to be overwritten and cross-site scripting attacks.
Background
Horde is a web application framework written in PHP.
Affected Packages
Package: www-apps/horde
Vulnerable: < 3.3.5
Unaffected: >= 3.3.5
Architectures: All supported architectures
Package: www-apps/horde-webmail
Vulnerable: < 1.2.4
Unaffected: >= 1.2.4
Architectures: All supported architectures
Package: www-apps/horde-groupware
Vulnerable: < 1.2.4
Unaffected: >= 1.2.4
Architectures: All supported architectures
Description
Multiple vulnerabilities have been discovered in Horde:
- Stefan Esser of Sektion1 reported an error within the form library
when handling image form fields (CVE-2009-3236). - Martin
Geisler and David Wharton reported that an error exists in the MIME
viewer library when viewing unknown text parts and the preferences
system in services/prefs.php when handling number preferences
(CVE-2009-3237).
Impact
A remote authenticated attacker could exploit these vulnerabilities to
overwrite arbitrary files on the server, provided that the user has
write permissions. A remote authenticated attacker could conduct
Cross-Site Scripting attacks.
Workaround
There is no known workaround at this time.
Resolution
All Horde users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-3.3.5" |
All Horde webmail users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-webmail-1.2.4" |
All Horde groupware users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-groupware-1.2.4" |
References
CVE-2009-3236
CVE-2009-3237
Last edited by GLSA on Sun Nov 22, 2009 4:29 am; edited 1 time in total |
|