ESB-2018.3025 - [Win][UNIX/Linux][Debian] php-horde: Cross-site scripting - Existing account 2018-10-08

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3025
                        php-horde - security update
                              8 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           php-horde
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Cross-site Scripting -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-16907 CVE-2017-16906 

Original Bulletin: 
   https://security-tracker.debian.org/tracker/DLA-1535-1
   https://security-tracker.debian.org/tracker/DLA-1536-1
   https://security-tracker.debian.org/tracker/DLA-1537-1

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running php-horde check for an updated version of the software for 
         their operating system.
         
         This bulletin contains three (3) security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : php-horde
Version        : 5.2.1+debian0-2+deb8u4
CVE ID         : CVE-2017-16907
Debian Bug     : 909739

It was discovered that the Horde Application Framework written in PHP
was affected by a Cross-site scripting vulnerability via the Color
field  in a Create Task List action. This may be used by attackers to
bypass access controls.

For Debian 8 "Jessie", this problem has been fixed in version
5.2.1+debian0-2+deb8u4.

We recommend that you upgrade your php-horde packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlu6g1xfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeT23g/7B+eJYcx1NsE0NrYxg+1fafj6bP05hyXp2N26B/C5KPGpVqMzvuPX9IK2
M9YPoC11gujHhGOYnp/atYrJlkzdmp/UppAbdOojCYp+HUPQPiz3GxFM9d3cwfHk
LijVQFl2rLEkK5qwF13fs4EHJimaResAJ6FhuoIUvf1nFrI/UHZn4wAkc7Q7sj06
BaWZO9XaQhNwUmGdl0YbsTer1/Td0aHm75+ZrTABo+aPno+UBt5UKkJEiVSePbiq
8KD94RihpPXy1QOA9POEMd7ENYVhl4fBpo7Ho/CgyBk6uz17bfuALPEhtVftziK3
mgs3Ho0+Gyh0c3Q+nDa9cz8j9dJHJ+zUcbHvuOo1lCFTNJtuoCdC12mVf0CiKmhs
ZJK7Y4Wcl+IjxUDQCq+GS33er19UURtB7z1BjqcPs1cliANKWcNvpyxa/jOvySML
1Cqo1eHPQ1fYvlr6bZwDeTOP+epwCeV6olsWXGs6S34MsTgOtocnAnRvZtAA4nlB
hay34/7kH5dS4OGrADQ5HbGeiU66BakPuj76zDfCGwYJsFLkFIb/H0ta4RoDcApA
sDXrYiErby3TfOgSoChEZ1x9fLrCNQfk2dFdEcqm+aWnnjJFpjPK8Afm5lRtOUDC
2dDCmfgh07XyvpWuPTrQN+h7ml1WDDHYMCJbq+08Lk+nwJpPe6g=
=qfks
- -----END PGP SIGNATURE-----

==============================================================================

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : php-horde-core
Version        : 2.15.0+debian0-1+deb8u2
CVE ID         : CVE-2017-16907
Debian Bug     : 909800

It was discovered that the Horde Application Framework written in PHP
was affected by a Cross-site scripting vulnerability via the Color
field in a Create Task List action. This may be used by attackers to
bypass access controls.

For Debian 8 "Jessie", this problem has been fixed in version
2.15.0+debian0-1+deb8u2.

We recommend that you upgrade your php-horde-core packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlu6hIZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeS1NA//WVbiRyMHUsYTWyS6bHBqnnyoRr3dX/0oooDQzi3k/ku2EwMUe8Me7knk
v9KTVBUkbFa/dWBufC7Wme3pJkRuXzh0YmqfbXPEmuge4UE9jx54Pgw+ElOwK/fk
g8upl12JgNXHKB+yXehWApukEt76HMOcwqLTvtjnBeKG83Z48ujwYTVLszBSLyTW
MkDbvKPdlAotGxZFngIr/VYwC2EyUQV60Q/JxvUYExXzrZFrwGIqgNAU92ssO8iC
kmrh+M2tHa/+NbnePhE5dBjRzkhdkyLQIN3uxtqj+8XE3E4H433yfIIkLbzb2BOZ
vwX52HWMJsUDe0KSWOcFqdvuHj8BWteZpJK7thEc6P3+HPTJokKYxQCd0jTnYTFY
ilKqapp0onGCtH5QgM/hUs3X+iL/xdkZRHn8yrw6VtD2s/IF5utpcW1oAYFu5UIU
Z/OPg01N1CIkJ686HqctpJKeRNt9J/ojgSqxvnnVv0zjMGgSPpvHM0JUV9pIOgTA
2JvfjijOTY8HvWlkZq6HudsbMRwq9J2OHaSGZRQlwweA/KN44mhDyhqkKCrtzECe
xl0JoeUOMnKOKVKjfYjRlwfZgzPTPTBDo4y9PHumEVnaDaUHlDFye6z8/DE5OHhT
dH6a530Cvbc4R1fTpkvDxbNg62p90tgz4nKYySFIcesKyXDvoMY=
=yPEy
- -----END PGP SIGNATURE-----

==============================================================================

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : php-horde-kronolith
Version        : 4.2.2-4+deb8u1
CVE ID         : CVE-2017-16906
Debian Bug     : 909737

It was discovered that the Horde Application Framework written in PHP
was affected by a Cross-site scripting vulnerability via the URL
field in a Calendar. This may be used by attackers to bypass access
controls.

For Debian 8 "Jessie", this problem has been fixed in version
4.2.2-4+deb8u1.

We recommend that you upgrade your php-horde-kronolith packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlu6he5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeS/WRAAsyt+cthELhZ1nSW1hN5pJ6hQ4rxeGGL232Bw8hUQF09WJChGYGbCDypK
gszePF6Dwv0RvTcJtMWwUfA8CD5eNhmV1I10sWpOe82CMw4OMVF9RygabPTm4vW1
VX4GCiGKVOMKxESSOAEljuB8NX+8YcrWKufI3Okl+MDXdh0neOyb3aalnIUObZWf
TAgJlRI78w1plzUphxtom3KMntJzMzVxgJpCEk9XcaF2b/dqtGHsvXFwuOSLLbHk
jbZwCmgqU7hPiRQa03lyxJZJDA3pxPb33W7bWkclmCV6rP2DU6lTNBvyWbryJEU9
oLrA6pPv+WnCzQ5q6PHiQOcLNWb8t7f6xY0k0RenEMwgoN55k6VFnMMEaa4s6F3Y
X4FQg5bl2qV1LHhvohQXE4vMSykhPClpp4DXMNOcobsCsPk4+05yQiodn3m29ZtG
lN0Ir7DQZtWZUquV8E4DENhlgQZeRtMSiRjosRfqMVsATNjt2tG7hmFxLsPngRjU
3OEdOeh3L0im5Pjz06FmNAVE3JqpQFuGdJ1w55d/+ODj6BuF+r53Axc4a/ICBgBG
Uz27nFTgJsHnRMjlMvjKDCS5GdaDQDLQNPpvViwsfOueg0f5+T7ckqiqX/365UzZ
EyG8yPcshrNC/c7ZLp6ZQg33nDKQbBDc8s9dqbMCQZCilAgZ8bA=
=zu6j
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW7qh82aOgq3Tt24GAQgmoQ//a7wATQOJYZuwc/XcofMaovXubUGyEV3R
uWSz6XI1QFQOxWLzgj16V0j9bBpVV/vWCgd6Gv3ybixwQFI4biyjAX07LoBt7GIp
3o3ZGH+TM4dABZkmiA/gDibyQ4BztlPt9vUdjTAkRdUCkaUvdNovvR5bWIcrRK8c
FRfWm7FCE9W6Ibo5QCpoDjjw5tavMQOVQQNyV6ePmHW113rGo6SwEMkK86xMQoxX
9jvoXdPUszrx0ZOKFBvayijPV11XvFZMxup6jL3cl70gRQz8JGnjOO3w1C/ddv1z
RyDlH+i/MaGPxRcjDt65Azd3dEqrCA2eB8HQ/f2bCkRWMVCIg1FYab7s+Dj/OqIl
RS/cPk1pX9zp5ef32qgvu4Y75rJ794cHGErp4yrMPtZsEFGQefNPjPA6Hq0D90eS
soNLqpCvqAzdeo9viF8Bw4HCJJ1nVDbGu/L149qLB8q94nEi/U2+fla1AgR8wiql
PHCSAO8n1WfHAbuVVbmjltHzBAQ9OAMxGhZgNOtUK1THxCKAhvgQFaDViYJO2Ic8
PnsEQ06DljZ9lDSJj039wlf2dPUM6lXBpqpRUsNTC9VC96IMNYr+Ce5k3nWE0x4J
B4kkySOkEfeNRRVZpfcfkPflhw7sJC9EAM94Ws22f6uNVTRXX9cVe3cZuUO5JwoA
cPaE5YW5Tzc=
=vm/f
-----END PGP SIGNATURE-----

« Back to bulletins