Secure testing team - Feb 2012 - Bug#660077: horde3: Remote execution backdoor after server hack

Package: horde3
Version: 3_3.3.12+debian0-2
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

a horde3 security issue is described here, which I would like to bring
to your attention

 http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155

The version number of the compromised code matches what is in wheezy and sid

rd at blackbox:~$ apt-cache policy horde3
horde3:
  Installiert: (keine)
  Kandidat:    3.3.12+debian0-2
  Versionstabelle:
     3.3.12+debian0-2 0
        500 http://ftp-stud.fht-esslingen.de/debian/ wheezy/main i386 Packages
        300 http://ftp-stud.fht-esslingen.de/debian/ sid/main i386 Packages
rd at blackbox:~$ 

I know that is not the only prerequisite to be exposed to the security
issue, but I think even if not affected, closing this bug report and
documenting your assessment this way is the right way to deal with
this issue.

Many thanks,
Rainer

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, ''testing''), (300,
''unstable''), (200, ''experimental'')
Architecture: i386 (i686)

Kernel: Linux 3.1.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash