On Wed, Mar 29, 2006 at 05:04:27PM +0200, Martin Schulze wrote:> I''ve been told (haven''t had the time to check on my own) that a very > serious security problem in horde has been discovered.Yes. Remote code execution. I don''t know the details. horde and horde2 are not affected, horde3 all versions up to 3.1.1 and 3.0.10 are affected.> Are you able to provide fixed packages for woody,Not affected: contains only horde.> sarge and sidAffected. Even the just uploaded 3.1 (currently in incoming) is affected. To fix sarge: The diff between upstream 3.0.9 and 3.0.10 is the best starting point I know of; the changelog is: * Fix for remote code execution vulnerability in the help viewer, discovered by Jan Schneider from the Horde team. * Fixed a few minor bugs. Fix of sid/etch should happen by upload of upstream 3.1.1.> soon,Personally, I have a security update to Mailman to prepare, and then I can turn to Horde3. Which means I *might* be able to do something Thursday evening (today is not totally excluded); if not then the next probable Debian-slot is Sunday or Monday. I live in UTC+2, but my biological clock is still at UTC+1. In the team, opal has been active lately, so he may surprise us with an update soon. -- Lionel
On Wed, Mar 29, 2006 at 05:25:34PM +0200, Lionel Elie Mamane wrote:> Personally, I have a security update to Mailman to prepare, and then I > can turn to Horde3.Is that the DoS that was reported a day or two ago, for which I got a CVE ID? If so I''m preparing packages for Sarge right now. Steve --
On Wed, Mar 29, 2006 at 04:29:30PM +0100, Steve Kemp wrote:> On Wed, Mar 29, 2006 at 05:25:34PM +0200, Lionel Elie Mamane wrote:>> Personally, I have a security update to Mailman to prepare, and >> then I can turn to Horde3.> Is that the DoS that was reported a day or two ago, for which > I got a CVE ID?Yes.> If so I''m preparing packages for Sarge right now.Ah, good, thanks. Are you including a fix for #358575 in it? (Cf my email of yesterday: <20060328211758.GA31156@capsaicin.mamane.lu> .) If you want me to test the packages, I have a testbed machine with no production (only toy / test) Mailman lists where I can do it. -- Lionel
Lionel Elie Mamane wrote:> > Are you able to provide fixed packages for woody, > > Not affected: contains only horde.Ok.> > sarge and sid > > Affected. Even the just uploaded 3.1 (currently in incoming) is > affected.Ok.> To fix sarge: The diff between upstream 3.0.9 and 3.0.10 is the best > starting point I know of; the changelog is: > > * Fix for remote code execution vulnerability in the help viewer, > discovered by Jan Schneider from the Horde team. > * Fixed a few minor bugs. > > Fix of sid/etch should happen by upload of upstream 3.1.1. > > > soon, > > Personally, I have a security update to Mailman to prepare, and then I > can turn to Horde3. Which means I *might* be able to do something > Thursday evening (today is not totally excluded); if not then the next > probable Debian-slot is Sunday or Monday.If the horde problem is arbitrary execution of remotely injected php code, then it is a lot more serious than the dos/mbox crash bug in mailman because it means remote access to machines where people are not supposed to have remote access to.> In the team, opal has been active lately, so he may surprise us with > an update soon.That would be appreciated. Regards, Joey -- The only stupid question is the unasked one.
Steve Kemp wrote:> On Wed, Mar 29, 2006 at 05:25:34PM +0200, Lionel Elie Mamane wrote: > > > Personally, I have a security update to Mailman to prepare, and then I > > can turn to Horde3. > > Is that the DoS that was reported a day or two ago, for which > I got a CVE ID? > > If so I''m preparing packages for Sarge right now.Cool. Regards, Joey -- The only stupid question is the unasked one.
On Wed, Mar 29, 2006 at 05:42:53PM +0200, Lionel Elie Mamane wrote:> Ah, good, thanks. Are you including a fix for #358575 in it? (Cf my > email of yesterday: <20060328211758.GA31156@capsaicin.mamane.lu> .)Nobody else commented on it, and I didn''t think it qualified for a security update - so no, I didn''t intend to.> If you want me to test the packages, I have a testbed machine with no > production (only toy / test) Mailman lists where I can do it.OK thanks. I''ll mail you off-list(s) in a couple of hours with a pointer to the packages. Steve --
On Wed, Mar 29, 2006 at 05:45:04PM +0200, Martin Schulze wrote:> Lionel Elie Mamane wrote:>> Personally, I have a security update to Mailman to prepare, and then I >> can turn to Horde3.> (..) the horde problem (...) is a lot more serious than the dos/mbox > crash bug in mailmanSteve is taking care of Mailman, so the point is becoming moot. I''m preparing an update of horde3 for sarge now; it will contain more changes than Moritz''s patch. -- Lionel
On Wed, Mar 29, 2006 at 05:25:34PM +0200, Lionel Elie Mamane wrote:> On Wed, Mar 29, 2006 at 05:04:27PM +0200, Martin Schulze wrote:>> I''ve been told (haven''t had the time to check on my own) that a >> very serious security problem in horde has been discovered.> Yes. Remote code execution. I don''t know the details. horde and > horde2 are not affected, horde3 all versions up to 3.1.1 and 3.0.10 > are affected.There doesn''t seem to be a CVE number for that? But there is another issue, namely CVE-2006-1260. I''m investigating it. -- Lionel
Lionel Elie Mamane wrote:> On Wed, Mar 29, 2006 at 05:25:34PM +0200, Lionel Elie Mamane wrote: > > On Wed, Mar 29, 2006 at 05:04:27PM +0200, Martin Schulze wrote: > > >> I''ve been told (haven''t had the time to check on my own) that a > >> very serious security problem in horde has been discovered. > > > Yes. Remote code execution. I don''t know the details. horde and > > horde2 are not affected, horde3 all versions up to 3.1.1 and 3.0.10 > > are affected. > > There doesn''t seem to be a CVE number for that?Correct. One is requested already, though. I''ll pass it to you once I see it (or Steve can do that).> But there is another issue, namely CVE-2006-1260. I''m investigating > it.Oh. Thanks. Regards, Joey -- The only stupid question is the unasked one.
On Wed, Mar 29, 2006 at 07:00:23PM +0200, Martin Schulze wrote:> Lionel Elie Mamane wrote: >> On Wed, Mar 29, 2006 at 05:25:34PM +0200, Lionel Elie Mamane wrote: >>> On Wed, Mar 29, 2006 at 05:04:27PM +0200, Martin Schulze wrote:>>>> I''ve been told (haven''t had the time to check on my own) that a >>>> very serious security problem in horde has been discovered.>>> Yes. Remote code execution.>> There doesn''t seem to be a CVE number for that?> Correct. One is requested already, though. I''ll pass it to you > once I see it (or Steve can do that).>> But there is another issue, namely CVE-2006-1260. I''m investigating >> it.> Oh. Thanks.Woody, sarge, etch and sid are affected, but the version now in incoming (3.1-1) fixes it. -- Lionel