212635 – www-apps/{horde-kronolith,horde-mnemo,horde-nag} Security bypass

Bug 212635 - www-apps/{horde-kronolith,horde-mnemo,horde-nag} Security bypass

Summary: www-apps/{horde-kronolith,horde-mnemo,horde-nag} Security bypass

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/28382/
Whiteboard:	B4 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-03-07 23:44 UTC by Pierre-Yves Rofes (RETIRED)
Modified:	2008-05-05 21:17 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-03-07 23:44:47 UTC

Some vulnerabilities have been reported in various Horde products, which can be exploited by malicious people to bypass certain security restrictions.

1) The Horde API does not properly restrict access to users with the correct credentials. No further information is currently available.

This vulnerability is reported in Horde 3.1.5, Mnemo 2.1.1, Nag 2.1.3, Kronolith 2.1.6, Turba 2.1.5, Horde Groupware Webmail Edition 1.0.3, and Horde Groupware 1.0.2. Prior versions may also be affected.

2) The share change functionality does not properly restrict access to users with the correct credentials. No further information is currently available.

This vulnerability is reported in Mnemo 2.1.1, Nag 2.1.3, Kronolith 2.1.6, Horde Groupware Webmail Edition 1.0.3, and Horde Groupware 1.0.2. Prior versions may also be affected.

Solution:
Update to Horde 3.1.6, Mnemo 2.1.2, Nag 2.1.4, Kronolith 2.1.7, Turba 2.1.6, Horde Groupware Webmail Edition 1.0.4, and Horde Groupware 1.0.3.

Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-03-07 23:47:45 UTC

maintainers: Turba is ok, but at least horde-kronolith needs a fixed stable version. ok for calling arches to stable 2.1.7?.

Comment 2 SpanKY gentoo-dev

2008-03-09 10:34:21 UTC

it's fine

Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-03-09 20:54:33 UTC

Arches, please test and mark stable www-apps/horde-kronolith-2.1.7. Target "alpha amd64 hppa ppc sparc x86"

Comment 4 Steve Dibb (RETIRED) gentoo-dev

2008-03-10 14:02:38 UTC

amd64 stable

Comment 5 Ferris McCormick (RETIRED) gentoo-dev

2008-03-10 19:33:02 UTC

Sparc stable as to horde-kronolith-2.1.7 --- if there's more to this, please add us back.

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2008-03-11 04:46:59 UTC

Stable for HPPA.

Comment 7 Christian Faulhammer (RETIRED) gentoo-dev

2008-03-12 07:23:18 UTC

x86 stable

Comment 8 Raúl Porcel (RETIRED) gentoo-dev

2008-03-12 15:40:58 UTC

alpha stable

Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev

2008-03-14 08:12:02 UTC

ppc stable

Comment 10 Peter Volkov (RETIRED) gentoo-dev

2008-03-14 17:55:04 UTC

Fixed in release snapshot.

Comment 11 Robert Buchholz (RETIRED) gentoo-dev

2008-03-15 14:06:41 UTC

Not sure why this hasn't been mentioned before, but we still need to stable

=www-apps/horde-mnemo-2.1.2
Target keywords : "alpha amd64 hppa ppc release sparc x86"

=www-apps/horde-nag-2.1.4
Target keywords : "alpha amd64 hppa ppc release sparc x86"

The other mentioned packages are being stabled for bug 213493.

vapier, good to go?

Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-03-15 16:39:46 UTC

(In reply to comment #11)
> Not sure why this hasn't been mentioned before, but we still need to stable
> 
> =www-apps/horde-mnemo-2.1.2
> Target keywords : "alpha amd64 hppa ppc release sparc x86"
> 
> =www-apps/horde-nag-2.1.4
> Target keywords : "alpha amd64 hppa ppc release sparc x86"
> 
> The other mentioned packages are being stabled for bug 213493.
> 
> vapier, good to go?
> 

vapier: I assume it's ok to call arches as per your comment #2, uncc them if something's wrong.

Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-03-15 16:45:49 UTC

sorry, forgot release@

Comment 14 SpanKY gentoo-dev

2008-03-15 23:54:38 UTC

not sure why release would care ... they dont use horde in any release media

in general, you can stabilize any horde package

Comment 15 Jeroen Roovers (RETIRED) gentoo-dev

2008-03-17 18:14:38 UTC

Stable for HPPA.

Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev

2008-03-18 18:31:56 UTC

(In reply to comment #11)
> =www-apps/horde-mnemo-2.1.2
> Target keywords : "alpha amd64 hppa ppc release sparc x86"
> 
> =www-apps/horde-nag-2.1.4
> Target keywords : "alpha amd64 hppa ppc release sparc x86"

both ppc stable

Comment 17 Raúl Porcel (RETIRED) gentoo-dev

2008-03-18 19:35:50 UTC

alpha/sparc/x86 stable

Comment 18 Markus Meier gentoo-dev

2008-03-21 11:42:08 UTC

amd64 stable (last arch)

Comment 19 Peter Volkov (RETIRED) gentoo-dev

2008-03-21 20:34:03 UTC

Fixed in release snapshot.

Comment 20 Robert Buchholz (RETIRED) gentoo-dev

2008-03-24 19:47:52 UTC

I vote yes together with bug 213493.

Comment 21 Tobias Heinlein (RETIRED) gentoo-dev

2008-03-29 20:22:28 UTC

Voting YES, too.

Comment 22 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-05-05 21:17:51 UTC

GLSA 200805-01