Hi On Fri, Mar 16, 2007 at 08:29:44AM +0100, Lionel Elie Mamane wrote: > Package: horde3 > Version: 3.0.4-1, 3.1-1 > Severity: critical > Tags: security > Justification: security hole on mere installation of package > > Changelog for new upstream release 3.1.4 says: > > This (...) fixes an arbitrary file deletion vulnerability exploitable > by local system (not Horde) users on systems using the example cron > cleanup script.
Which we are, I assume... > Major changes compared to Horde 3.1.4-RC1 are: > * Correctly quote file names in cleanup script for temporary files. > > Actually, sarge (3.0.4) may be vulnerable or not, I haven't checked > yet. Likely that is the case. Will you create a fix for this? Regards, // Ola > -- > Lionel > > > _______________________________________________ > pkg-horde-hackers mailing list > [EMAIL PROTECTED] > http://lists.alioth.debian.org/mailman/listinfo/pkg-horde-hackers > -- --------------------- Ola Lundqvist --------------------------- / [EMAIL PROTECTED] Annebergsslingan 37 \ | [EMAIL PROTECTED] 654 65 KARLSTAD | | +46 (0)54-10 14 30 +46 (0)70-332 1551 | | http://opalsys.net/ UIN/icq: 4912500 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]