| Summary: | <www-apps/horde-3.3.4 and <www-apps/horde-groupware-1.2.3 arbitrary HTML/script injection (CVE-2009-{0931,0932}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | glua, web-apps, wrobel |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://cvs.horde.org/co.php/horde/docs/CHANGES?r=1.515.2.503 | ||
| Whiteboard: | B1 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Stefan Behte (RETIRED)
2009-03-19 00:04:19 UTC
CVE-2009-0932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0932): Directory traversal vulnerability in framework/Image/Image.php in Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the Horde_Image driver name. Horde stabling via bug 256125. +*horde-groupware-1.2.3 (24 Aug 2009) + + 24 Aug 2009; Alex Legler <a3li@gentoo.org> -horde-groupware-1.0.7.ebuild, + -horde-groupware-1.1.3.ebuild, -horde-groupware-1.2.ebuild, + +horde-groupware-1.2.3.ebuild: + Non-maintainer commit: Version bump for security bug 262978. Removing + vulnerable versions. ~arch only This includes file inclusion -> B1 -> GLSA draft filed. GLSA 200909-14 |
