Although all versions of horde v3.09 and prior are vulnerable to this attack, many distrubitions of PHP are not vulnerable by default. This vulnerability was tested and exploited on a default Fedora Core 4 install, although several horde developers were unable to reproduce this vulnerability on Debian based servers. In the file /services/go.php, an insecure call is made to the readfile() function. http://www.codescan.com/Advisories/CodeScanLabs_Horde.html
arches, please test and mark stable - thank you.
What do you want stable? Also switching from horde 2.x -> 3.x is a major upgrade, and all of the horde framework apps must be upgraded as well since they won't work otherwise.
Damn, thanks for the headsup. Web-apps/vapier please comment what to do here: Can you backport the fixes or should we go for a stable of the whole framework? Removing arches until it's sure what needs to be done.
the next horde series was added about a week ago, but i if people are happy with it, people can stabilize it
Ok arches, please try to stable the whole horde 3.1 framework, thanks.
i was asked which packages need to go stable at the same time, vapier/spanky could you please provide a list? thx.
All of the latest www-apps/horde-* basically. I'm already testing them, but it takes time to configure them from scratch.
horde-3.1, horde-chora-2.0.1, horde-gollem-1.0.2, horde-imp-4.1, horde-ingo-1.1, horde-kronolith-2.1, horde-mnemo-2.1, horde-nag-2.1, horde-passwd-3.0, horde-turba-2.1 all need to go stable at once. Some apps weren't stable before since they didn't exist for horde-2 so choose yourself, for consistency i'd say go for all of them - though that requires a big amount of extra testing. Two notes worth mention: There's no longer need to touch registry.php to register apps, the GUI setup on horde does that nowadays (mentioned in the horde eclass). With respect to horde-turba, it has some sucky default for sources, namely netcenter that doesn't exist any more and gets initialized every time turba is called without regard for usage, thus tries to connect to a non-existant LDAP server, thus takes aaages to timeout and makes it look like it's broken. If someone could add a note to remove the netcenter source from $WHERE_THINGS_ARE_INSTALLED/horde/turba/config/sources.php some people would be grateful. Had to bump gollem to 1.0.2 since the previous ones had some issues with horde 3.1 (and other bugs). That being said, sparc stable. /me rests.
I've been using these on both ppc and amd64, but I've only marked ppc stable since I'm not on the amd64 team. :)
Works on x86 as best as I can tell. Stable on x86 :)
hppa stable.
Ahem, just seeing the following on freshmeat: Horde Application Framework 3.1.1 [..] Release focus: Major security fixes Changes: A potential remote code execution hole has been fixed in the help viewer. This hole is present in all Horde versions after 3.0. It is not present in 2.x and earlier releases. Additional changes: export and synchronization of events across daylight saving time changes has been fixed. The MySQL session handler and support for Internet Explorer 7 and Opera Mini browsers have been improved. Some minor bugs have been fixed.
We opened bug 127889 to track the Help Viewer vulnerability
Un-CC'ing the remaining arches because 3.1.1 is supposed to become stable. Adding #127889 as blocker for this, so that I remember to close this one as soon as 3.1.1 is stable on amd64 and alpha.
GLSA 200604-02 Thanks everybody!