Package: kronolith2 Severity: critical Version: 2.0.0 Tags: security Apparently, there was a way to force kronolith2 versions 2.1.0 up to 2.1.3 (and 2.0.0 up to 2.0.7) to include an arbitrary file in some page it serves. Solved by new upstream version. CVE number unknown.
Unknown whether kronolith (1.x) in sarge is similarly vulnerable (that version is not supported upstream anymore). -- Lionel
--- Begin Message ---The Horde Team is pleased to announce the final release of the Kronolith Calendar Application version H3 (2.1.4). This is a security release. All users are strongly advised to upgrade as soon as possible. Thanks to iDefense for the vulnerability report. Kronolith is the Horde calendar application. It provides web-based calendars backed by a SQL database or a Kolab server. Supported features include shared calendars, remote calendars, meeting management, alarms, recurring events, and a sophisticated day/week view which handles arbitrary numbers of overlapping events. Major changes compared to the Kronolith H3 (2.1.3) version are: * Close arbitrary file inclusion in free/busy views. The full list of changes (from version H3 (2.1.3)) can be viewed here: http://cvs.horde.org/diff.php/kronolith/docs/CHANGES?r1=1.165.2.138&r2=1.165.2.142&ty=h The Kronolith H3 (2.1.4) distribution is available from the following locations: ftp://ftp.horde.org/pub/kronolith/kronolith-h3-2.1.4.tar.gz http://ftp.horde.org/pub/kronolith/kronolith-h3-2.1.4.tar.gz Patches against version H3 (2.1.3) are available at: ftp://ftp.horde.org/pub/kronolith/patches/patch-kronolith-h3-2.1.3-h3-2.1.4.gz http://ftp.horde.org/pub/kronolith/patches/patch-kronolith-h3-2.1.3-h3-2.1.4.gz Or, for quicker access, download from your nearest mirror: http://www.horde.org/mirrors.php MD5 sums for the packages are as follows: df6d6fc99012865b18b089212c7544ad kronolith-h3-2.1.4.tar.gz b20cd6c44db40649fd98cc2716f1cb47 patch-kronolith-h3-2.1.3-h3-2.1.4.gz Have fun! The Horde Team. -- Horde announcements mailing list You are subscribed to this list as: [EMAIL PROTECTED] To unsubscribe, mail: [EMAIL PROTECTED]
--- End Message ---
