371318 – dev-php/Horde_Auth: Authentication bypass vulnerability

Bug 371318 - dev-php/Horde_Auth: Authentication bypass vulnerability

Summary: dev-php/Horde_Auth: Authentication bypass vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	http://lists.horde.org/archives/annou...
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-06-12 21:36 UTC by Tim Sammut (RETIRED)
Modified:	2011-06-15 17:16 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Sammut (RETIRED) gentoo-dev

2011-06-12 21:36:16 UTC

From $URL:

The Horde Team has released version 1.0.4 of the Horde_Auth framework package.

This is an important security release that fixes a serious bug in the  
composite authentication driver that could allow a user to access the  
Horde system even though authentication failed for a sub-driver.

Affected are all versions of the Horde_Auth library from 1.0.0alpha1  
to 1.0.3. Only systems using the composite authentication driver are  
affected. Horde applications that require another login step, e.g.  
IMP, are not affected, even if this 2nd authentication is done  
transparently.

All affected systems should update the Horde_Auth package IMMEDIATELY.  
This can be done using the PEAR installer:

    pear upgrade horde/horde_auth

The Horde Team.

Comment 1 Alex Legler (RETIRED) archtester

2011-06-15 17:16:09 UTC

bumped, removed old version. Closing noglsa as ~arch only. Thanks.