Package: horde3 Version: 3.0.4-1, 3.1-1 Severity: critical Tags: security Justification: security hole on mere installation of package
Changelog for new upstream release 3.1.4 says: This (...) fixes an arbitrary file deletion vulnerability exploitable by local system (not Horde) users on systems using the example cron cleanup script. Major changes compared to Horde 3.1.4-RC1 are: * Correctly quote file names in cleanup script for temporary files. Actually, sarge (3.0.4) may be vulnerable or not, I haven't checked yet. -- Lionel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]