Some vulnerabilities have been reported in various Horde products, which can be exploited by malicious people to bypass certain security restrictions. 1) The Horde API does not properly restrict access to users with the correct credentials. No further information is currently available. This vulnerability is reported in Horde 3.1.5, Mnemo 2.1.1, Nag 2.1.3, Kronolith 2.1.6, Turba 2.1.5, Horde Groupware Webmail Edition 1.0.3, and Horde Groupware 1.0.2. Prior versions may also be affected. 2) The share change functionality does not properly restrict access to users with the correct credentials. No further information is currently available. This vulnerability is reported in Mnemo 2.1.1, Nag 2.1.3, Kronolith 2.1.6, Horde Groupware Webmail Edition 1.0.3, and Horde Groupware 1.0.2. Prior versions may also be affected. Solution: Update to Horde 3.1.6, Mnemo 2.1.2, Nag 2.1.4, Kronolith 2.1.7, Turba 2.1.6, Horde Groupware Webmail Edition 1.0.4, and Horde Groupware 1.0.3.
maintainers: Turba is ok, but at least horde-kronolith needs a fixed stable version. ok for calling arches to stable 2.1.7?.
it's fine
Arches, please test and mark stable www-apps/horde-kronolith-2.1.7. Target "alpha amd64 hppa ppc sparc x86"
amd64 stable
Sparc stable as to horde-kronolith-2.1.7 --- if there's more to this, please add us back.
Stable for HPPA.
x86 stable
alpha stable
ppc stable
Fixed in release snapshot.
Not sure why this hasn't been mentioned before, but we still need to stable =www-apps/horde-mnemo-2.1.2 Target keywords : "alpha amd64 hppa ppc release sparc x86" =www-apps/horde-nag-2.1.4 Target keywords : "alpha amd64 hppa ppc release sparc x86" The other mentioned packages are being stabled for bug 213493. vapier, good to go?
(In reply to comment #11) > Not sure why this hasn't been mentioned before, but we still need to stable > > =www-apps/horde-mnemo-2.1.2 > Target keywords : "alpha amd64 hppa ppc release sparc x86" > > =www-apps/horde-nag-2.1.4 > Target keywords : "alpha amd64 hppa ppc release sparc x86" > > The other mentioned packages are being stabled for bug 213493. > > vapier, good to go? > vapier: I assume it's ok to call arches as per your comment #2, uncc them if something's wrong.
sorry, forgot release@
not sure why release would care ... they dont use horde in any release media in general, you can stabilize any horde package
(In reply to comment #11) > =www-apps/horde-mnemo-2.1.2 > Target keywords : "alpha amd64 hppa ppc release sparc x86" > > =www-apps/horde-nag-2.1.4 > Target keywords : "alpha amd64 hppa ppc release sparc x86" both ppc stable
alpha/sparc/x86 stable
amd64 stable (last arch)
I vote yes together with bug 213493.
Voting YES, too.
GLSA 200805-01