Secure testing team - Jun 2010 - Bug#585165: CVE-2010-1916: Security issue in Xinha

Package: horde3
Severity: grave
Tags: security

Hi,
Horde includes a copy of Xinha, for which the following security
issue was reported:

http://php-security.org/2010/05/10/mops-2010-019-serendipity-wysiwyg-editor-plugin-configuration-injection-vulnerability/index.h+tml
http://xinha.webfactional.com/ticket/1518

Please check if your code copy is affected and update the internal
copy.

There''s already an ITP for xinha (Bug 479708) and since four packages
currently in the archive use xinha (openacs, Horde, serendipity and
dotlrn) it would be nice if we could migrate to a single package
for Squeeze.

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, ''unstable'')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages horde3 depends on:
pn  apache2 | httpd               <none>     (no description available)
pn  libapache2-mod-php5 | libapac <none>     (no description available)
pn  libapache2-mod-php5 | php5-cg <none>     (no description available)
pn  libjs-scriptaculous           <none>     (no description available)
pn  php-log                       <none>     (no description available)
pn  php-mail                      <none>     (no description available)
pn  php-mail-mime                 <none>     (no description available)
pn  php5-gd                       <none>     (no description available)
pn  php5-mcrypt                   <none>     (no description available)

Versions of packages horde3 recommends:
pn  fckeditor                     <none>     (no description available)
ii  locales                       2.10.2-9   Embedded GNU C Library: National L
ii  logrotate                     3.7.8-6    Log rotation utility
pn  php-date                      <none>     (no description available)
pn  php-db                        <none>     (no description available)
pn  php-file                      <none>     (no description available)
pn  php-services-weather          <none>     (no description available)
pn  php5-cli                      <none>     (no description available)
pn  php5-mysql | php5-pgsql | pho <none>     (no description available)
pn  tinymce2 | tinymce            <none>     (no description available)

Versions of packages horde3 suggests:
pn  chora2                <none>             (no description available)
pn  enscript              <none>             (no description available)
ii  gettext               0.18-1             GNU Internationalization utilities
pn  gollem                <none>             (no description available)
pn  imp4                  <none>             (no description available)
pn  kronolith2            <none>             (no description available)
ii  libgeoip1             1.4.7~beta3+dfsg-2 A non-DNS IP-to-country resolver l
pn  libwpd-tools          <none>             (no description available)
pn  mnemo2                <none>             (no description available)
pn  php-net-imap          <none>             (no description available)
pn  php5-auth-pam         <none>             (no description available)
pn  php5-mhash            <none>             (no description available)
pn  ppthtml               <none>             (no description available)
ii  rpm                   4.7.2-1+b2         package manager for RPM
pn  source-highlight      <none>             (no description available)
pn  turba2                <none>             (no description available)
pn  unrtf                 <none>             (no description available)
pn  webcpp                <none>             (no description available)
pn  wv                    <none>             (no description available)
pn  xlhtml                <none>             (no description available)