Package: horde3
Version: 3.0.4-1, 3.1-1
Severity: critical
Tags: security
Justification: security hole on mere installation of package
Changelog for new upstream release 3.1.4 says:
This (...) fixes an arbitrary file deletion vulnerability exploitable
by local system (not Horde) users on systems using the example cron
cleanup script.
Major changes compared to Horde 3.1.4-RC1 are:
* Correctly quote file names in cleanup script for temporary files.
Actually, sarge (3.0.4) may be vulnerable or not, I haven't checked
yet.
--
Lionel
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
