126435 2006-03-16 08:29 0000 www-apps/horde - Unauthenticated Arbitrary File Read 2006-04-04 11:54:23 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.codescan.com/Advisories/CodeScanLabs_Horde.html C4? [stable] DerCorny P2 trivial --- 127889 1 carlo@gentoo.org security@gentoo.org web-apps@gentoo.org carlo@gentoo.org 2006-03-16 08:29:30 0000 Although all versions of horde v3.09 and prior are vulnerable to this attack, many distrubitions of PHP are not vulnerable by default. This vulnerability was tested and exploited on a default Fedora Core 4 install, although several horde developers were unable to reproduce this vulnerability on Debian based servers. In the file /services/go.php, an insecure call is made to the readfile() function. http://www.codescan.com/Advisories/CodeScanLabs_Horde.html dercorny@gentoo.org 2006-03-16 08:39:43 0000 arches, please test and mark stable - thank you. gustavoz@gentoo.org 2006-03-16 09:11:25 0000 What do you want stable? Also switching from horde 2.x -> 3.x is a major upgrade, and all of the horde framework apps must be upgraded as well since they won't work otherwise. dercorny@gentoo.org 2006-03-16 09:18:00 0000 Damn, thanks for the headsup. Web-apps/vapier please comment what to do here: Can you backport the fixes or should we go for a stable of the whole framework? Removing arches until it's sure what needs to be done. vapier@gentoo.org 2006-03-16 20:30:52 0000 the next horde series was added about a week ago, but i if people are happy with it, people can stabilize it dercorny@gentoo.org 2006-03-17 02:08:00 0000 Ok arches, please try to stable the whole horde 3.1 framework, thanks. dercorny@gentoo.org 2006-03-20 09:56:36 0000 i was asked which packages need to go stable at the same time, vapier/spanky could you please provide a list? thx. gustavoz@gentoo.org 2006-03-20 09:59:22 0000 All of the latest www-apps/horde-* basically. I'm already testing them, but it takes time to configure them from scratch. gustavoz@gentoo.org 2006-03-20 14:16:25 0000 horde-3.1, horde-chora-2.0.1, horde-gollem-1.0.2, horde-imp-4.1, horde-ingo-1.1, horde-kronolith-2.1, horde-mnemo-2.1, horde-nag-2.1, horde-passwd-3.0, horde-turba-2.1 all need to go stable at once. Some apps weren't stable before since they didn't exist for horde-2 so choose yourself, for consistency i'd say go for all of them - though that requires a big amount of extra testing. Two notes worth mention: There's no longer need to touch registry.php to register apps, the GUI setup on horde does that nowadays (mentioned in the horde eclass). With respect to horde-turba, it has some sucky default for sources, namely netcenter that doesn't exist any more and gets initialized every time turba is called without regard for usage, thus tries to connect to a non-existant LDAP server, thus takes aaages to timeout and makes it look like it's broken. If someone could add a note to remove the netcenter source from $WHERE_THINGS_ARE_INSTALLED/horde/turba/config/sources.php some people would be grateful. Had to bump gollem to 1.0.2 since the previous ones had some issues with horde 3.1 (and other bugs). That being said, sparc stable. /me rests. josejx@gentoo.org 2006-03-24 22:21:33 0000 I've been using these on both ppc and amd64, but I've only marked ppc stable since I'm not on the amd64 team. :) halcy0n@gentoo.org 2006-03-27 18:36:12 0000 Works on x86 as best as I can tell. Stable on x86 :) gustavoz@gentoo.org 2006-03-28 09:38:31 0000 hppa stable. carlo@gentoo.org 2006-03-28 11:54:51 0000 Ahem, just seeing the following on freshmeat: Horde Application Framework 3.1.1 [..] Release focus: Major security fixes Changes: A potential remote code execution hole has been fixed in the help viewer. This hole is present in all Horde versions after 3.0. It is not present in 2.x and earlier releases. Additional changes: export and synchronization of events across daylight saving time changes has been fixed. The MySQL session handler and support for Internet Explorer 7 and Opera Mini browsers have been improved. Some minor bugs have been fixed. jslootbeek@gmail.com 2006-03-28 11:57:45 0000 We opened bug 127889 to track the Help Viewer vulnerability dercorny@gentoo.org 2006-03-28 17:08:12 0000 Un-CC'ing the remaining arches because 3.1.1 is supposed to become stable. Adding #127889 as blocker for this, so that I remember to close this one as soon as 3.1.1 is stable on amd64 and alpha. dercorny@gentoo.org 2006-04-04 11:54:23 0000 GLSA 200604-02 Thanks everybody!