Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 212635
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Pierre-Yves Rofes <py@gentoo.org>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 212635 depends on: Show dependency tree
Bug 212635 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-03-07 23:44 0000 
Some vulnerabilities have been reported in various Horde products, which can be
exploited by malicious people to bypass certain security restrictions.

1) The Horde API does not properly restrict access to users with the correct
credentials. No further information is currently available.

This vulnerability is reported in Horde 3.1.5, Mnemo 2.1.1, Nag 2.1.3,
Kronolith 2.1.6, Turba 2.1.5, Horde Groupware Webmail Edition 1.0.3, and Horde
Groupware 1.0.2. Prior versions may also be affected.

2) The share change functionality does not properly restrict access to users
with the correct credentials. No further information is currently available.

This vulnerability is reported in Mnemo 2.1.1, Nag 2.1.3, Kronolith 2.1.6,
Horde Groupware Webmail Edition 1.0.3, and Horde Groupware 1.0.2. Prior
versions may also be affected.

Solution:
Update to Horde 3.1.6, Mnemo 2.1.2, Nag 2.1.4, Kronolith 2.1.7, Turba 2.1.6,
Horde Groupware Webmail Edition 1.0.4, and Horde Groupware 1.0.3.

------- Comment #1 From Pierre-Yves Rofes 2008-03-07 23:47:45 0000 ------- 
maintainers: Turba is ok, but at least horde-kronolith needs a fixed stable
version. ok for calling arches to stable 2.1.7?.

------- Comment #2 From SpanKY 2008-03-09 10:34:21 0000 ------- 
it's fine

------- Comment #3 From Pierre-Yves Rofes 2008-03-09 20:54:33 0000 ------- 
Arches, please test and mark stable www-apps/horde-kronolith-2.1.7. Target
"alpha amd64 hppa ppc sparc x86"

------- Comment #4 From Steve Dibb 2008-03-10 14:02:38 0000 ------- 
amd64 stable

------- Comment #5 From Ferris McCormick 2008-03-10 19:33:02 0000 ------- 
Sparc stable as to horde-kronolith-2.1.7 --- if there's more to this, please
add us back.

------- Comment #6 From Jeroen Roovers 2008-03-11 04:46:59 0000 ------- 
Stable for HPPA.

------- Comment #7 From Christian Faulhammer 2008-03-12 07:23:18 0000 ------- 
x86 stable

------- Comment #8 From Raúl Porcel 2008-03-12 15:40:58 0000 ------- 
alpha stable

------- Comment #9 From Tobias Scherbaum 2008-03-14 08:12:02 0000 ------- 
ppc stable

------- Comment #10 From Peter Volkov 2008-03-14 17:55:04 0000 ------- 
Fixed in release snapshot.

------- Comment #11 From Robert Buchholz 2008-03-15 14:06:41 0000 ------- 
Not sure why this hasn't been mentioned before, but we still need to stable

=www-apps/horde-mnemo-2.1.2
Target keywords : "alpha amd64 hppa ppc release sparc x86"

=www-apps/horde-nag-2.1.4
Target keywords : "alpha amd64 hppa ppc release sparc x86"

The other mentioned packages are being stabled for bug 213493.

vapier, good to go?

------- Comment #12 From Pierre-Yves Rofes 2008-03-15 16:39:46 0000 ------- 
(In reply to comment #11)
> Not sure why this hasn't been mentioned before, but we still need to stable
> 
> =www-apps/horde-mnemo-2.1.2
> Target keywords : "alpha amd64 hppa ppc release sparc x86"
> 
> =www-apps/horde-nag-2.1.4
> Target keywords : "alpha amd64 hppa ppc release sparc x86"
> 
> The other mentioned packages are being stabled for bug 213493.
> 
> vapier, good to go?
> 

vapier: I assume it's ok to call arches as per your comment #2, uncc them if
something's wrong.

------- Comment #13 From Pierre-Yves Rofes 2008-03-15 16:45:49 0000 ------- 
sorry, forgot release@

------- Comment #14 From SpanKY 2008-03-15 23:54:38 0000 ------- 
not sure why release would care ... they dont use horde in any release media

in general, you can stabilize any horde package

------- Comment #15 From Jeroen Roovers 2008-03-17 18:14:38 0000 ------- 
Stable for HPPA.

------- Comment #16 From Tobias Scherbaum 2008-03-18 18:31:56 0000 ------- 
(In reply to comment #11)
> =www-apps/horde-mnemo-2.1.2
> Target keywords : "alpha amd64 hppa ppc release sparc x86"
> 
> =www-apps/horde-nag-2.1.4
> Target keywords : "alpha amd64 hppa ppc release sparc x86"

both ppc stable

------- Comment #17 From Raúl Porcel 2008-03-18 19:35:50 0000 ------- 
alpha/sparc/x86 stable

------- Comment #18 From Markus Meier 2008-03-21 11:42:08 0000 ------- 
amd64 stable (last arch)

------- Comment #19 From Peter Volkov 2008-03-21 20:34:03 0000 ------- 
Fixed in release snapshot.

------- Comment #20 From Robert Buchholz 2008-03-24 19:47:52 0000 ------- 
I vote yes together with bug 213493.

------- Comment #21 From Tobias Heinlein 2008-03-29 20:22:28 0000 ------- 
Voting YES, too.

------- Comment #22 From Pierre-Yves Rofes 2008-05-05 21:17:51 0000 ------- 
GLSA 200805-01
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug