Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200911-01 ] Horde: Multiple vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Veteran
Veteran


Joined: 12 May 2004
Posts: 1471

PostPosted: Fri Nov 06, 2009 2:26 pm    Post subject: [ GLSA 200911-01 ] Horde: Multiple vulnerabilities Reply with quote

Gentoo Linux Security Advisory

Title: Horde: Multiple vulnerabilities (GLSA 200911-01)
Severity: normal
Exploitable: remote
Date: November 06, 2009
Bug(s): #285052
ID: 200911-01

Synopsis


Multiple vulnerabilities in the Horde Application Framework can allow for
arbitrary files to be overwritten and cross-site scripting attacks.


Background


Horde is a web application framework written in PHP.


Affected Packages

Package: www-apps/horde
Vulnerable: < 3.3.5
Unaffected: >= 3.3.5
Architectures: All supported architectures

Package: www-apps/horde-webmail
Vulnerable: < 1.2.4
Unaffected: >= 1.2.4
Architectures: All supported architectures

Package: www-apps/horde-groupware
Vulnerable: < 1.2.4
Unaffected: >= 1.2.4
Architectures: All supported architectures


Description


Multiple vulnerabilities have been discovered in Horde:
  • Stefan Esser of Sektion1 reported an error within the form library
    when handling image form fields (CVE-2009-3236).
  • Martin
    Geisler and David Wharton reported that an error exists in the MIME
    viewer library when viewing unknown text parts and the preferences
    system in services/prefs.php when handling number preferences
    (CVE-2009-3237).


Impact


A remote authenticated attacker could exploit these vulnerabilities to
overwrite arbitrary files on the server, provided that the user has
write permissions. A remote authenticated attacker could conduct
Cross-Site Scripting attacks.


Workaround


There is no known workaround at this time.


Resolution


All Horde users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/horde-3.3.5"

All Horde webmail users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/horde-webmail-1.2.4"

All Horde groupware users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/horde-groupware-1.2.4"


References

CVE-2009-3236
CVE-2009-3237


Last edited by GLSA on Sun Nov 22, 2009 4:29 am; edited 1 time in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum