Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3025 php-horde - security update 8 October 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: php-horde Publisher: Debian Operating System: Debian GNU/Linux 8 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Scripting -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-16907 CVE-2017-16906 Original Bulletin: https://security-tracker.debian.org/tracker/DLA-1535-1 https://security-tracker.debian.org/tracker/DLA-1536-1 https://security-tracker.debian.org/tracker/DLA-1537-1 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running php-horde check for an updated version of the software for their operating system. This bulletin contains three (3) security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : php-horde Version : 5.2.1+debian0-2+deb8u4 CVE ID : CVE-2017-16907 Debian Bug : 909739 It was discovered that the Horde Application Framework written in PHP was affected by a Cross-site scripting vulnerability via the Color field in a Create Task List action. This may be used by attackers to bypass access controls. For Debian 8 "Jessie", this problem has been fixed in version 5.2.1+debian0-2+deb8u4. We recommend that you upgrade your php-horde packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlu6g1xfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeT23g/7B+eJYcx1NsE0NrYxg+1fafj6bP05hyXp2N26B/C5KPGpVqMzvuPX9IK2 M9YPoC11gujHhGOYnp/atYrJlkzdmp/UppAbdOojCYp+HUPQPiz3GxFM9d3cwfHk LijVQFl2rLEkK5qwF13fs4EHJimaResAJ6FhuoIUvf1nFrI/UHZn4wAkc7Q7sj06 BaWZO9XaQhNwUmGdl0YbsTer1/Td0aHm75+ZrTABo+aPno+UBt5UKkJEiVSePbiq 8KD94RihpPXy1QOA9POEMd7ENYVhl4fBpo7Ho/CgyBk6uz17bfuALPEhtVftziK3 mgs3Ho0+Gyh0c3Q+nDa9cz8j9dJHJ+zUcbHvuOo1lCFTNJtuoCdC12mVf0CiKmhs ZJK7Y4Wcl+IjxUDQCq+GS33er19UURtB7z1BjqcPs1cliANKWcNvpyxa/jOvySML 1Cqo1eHPQ1fYvlr6bZwDeTOP+epwCeV6olsWXGs6S34MsTgOtocnAnRvZtAA4nlB hay34/7kH5dS4OGrADQ5HbGeiU66BakPuj76zDfCGwYJsFLkFIb/H0ta4RoDcApA sDXrYiErby3TfOgSoChEZ1x9fLrCNQfk2dFdEcqm+aWnnjJFpjPK8Afm5lRtOUDC 2dDCmfgh07XyvpWuPTrQN+h7ml1WDDHYMCJbq+08Lk+nwJpPe6g= =qfks - -----END PGP SIGNATURE----- ============================================================================== - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : php-horde-core Version : 2.15.0+debian0-1+deb8u2 CVE ID : CVE-2017-16907 Debian Bug : 909800 It was discovered that the Horde Application Framework written in PHP was affected by a Cross-site scripting vulnerability via the Color field in a Create Task List action. This may be used by attackers to bypass access controls. For Debian 8 "Jessie", this problem has been fixed in version 2.15.0+debian0-1+deb8u2. We recommend that you upgrade your php-horde-core packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlu6hIZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeS1NA//WVbiRyMHUsYTWyS6bHBqnnyoRr3dX/0oooDQzi3k/ku2EwMUe8Me7knk v9KTVBUkbFa/dWBufC7Wme3pJkRuXzh0YmqfbXPEmuge4UE9jx54Pgw+ElOwK/fk g8upl12JgNXHKB+yXehWApukEt76HMOcwqLTvtjnBeKG83Z48ujwYTVLszBSLyTW MkDbvKPdlAotGxZFngIr/VYwC2EyUQV60Q/JxvUYExXzrZFrwGIqgNAU92ssO8iC kmrh+M2tHa/+NbnePhE5dBjRzkhdkyLQIN3uxtqj+8XE3E4H433yfIIkLbzb2BOZ vwX52HWMJsUDe0KSWOcFqdvuHj8BWteZpJK7thEc6P3+HPTJokKYxQCd0jTnYTFY ilKqapp0onGCtH5QgM/hUs3X+iL/xdkZRHn8yrw6VtD2s/IF5utpcW1oAYFu5UIU Z/OPg01N1CIkJ686HqctpJKeRNt9J/ojgSqxvnnVv0zjMGgSPpvHM0JUV9pIOgTA 2JvfjijOTY8HvWlkZq6HudsbMRwq9J2OHaSGZRQlwweA/KN44mhDyhqkKCrtzECe xl0JoeUOMnKOKVKjfYjRlwfZgzPTPTBDo4y9PHumEVnaDaUHlDFye6z8/DE5OHhT dH6a530Cvbc4R1fTpkvDxbNg62p90tgz4nKYySFIcesKyXDvoMY= =yPEy - -----END PGP SIGNATURE----- ============================================================================== - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : php-horde-kronolith Version : 4.2.2-4+deb8u1 CVE ID : CVE-2017-16906 Debian Bug : 909737 It was discovered that the Horde Application Framework written in PHP was affected by a Cross-site scripting vulnerability via the URL field in a Calendar. This may be used by attackers to bypass access controls. For Debian 8 "Jessie", this problem has been fixed in version 4.2.2-4+deb8u1. We recommend that you upgrade your php-horde-kronolith packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlu6he5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeS/WRAAsyt+cthELhZ1nSW1hN5pJ6hQ4rxeGGL232Bw8hUQF09WJChGYGbCDypK gszePF6Dwv0RvTcJtMWwUfA8CD5eNhmV1I10sWpOe82CMw4OMVF9RygabPTm4vW1 VX4GCiGKVOMKxESSOAEljuB8NX+8YcrWKufI3Okl+MDXdh0neOyb3aalnIUObZWf TAgJlRI78w1plzUphxtom3KMntJzMzVxgJpCEk9XcaF2b/dqtGHsvXFwuOSLLbHk jbZwCmgqU7hPiRQa03lyxJZJDA3pxPb33W7bWkclmCV6rP2DU6lTNBvyWbryJEU9 oLrA6pPv+WnCzQ5q6PHiQOcLNWb8t7f6xY0k0RenEMwgoN55k6VFnMMEaa4s6F3Y X4FQg5bl2qV1LHhvohQXE4vMSykhPClpp4DXMNOcobsCsPk4+05yQiodn3m29ZtG lN0Ir7DQZtWZUquV8E4DENhlgQZeRtMSiRjosRfqMVsATNjt2tG7hmFxLsPngRjU 3OEdOeh3L0im5Pjz06FmNAVE3JqpQFuGdJ1w55d/+ODj6BuF+r53Axc4a/ICBgBG Uz27nFTgJsHnRMjlMvjKDCS5GdaDQDLQNPpvViwsfOueg0f5+T7ckqiqX/365UzZ EyG8yPcshrNC/c7ZLp6ZQg33nDKQbBDc8s9dqbMCQZCilAgZ8bA= =zu6j - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW7qh82aOgq3Tt24GAQgmoQ//a7wATQOJYZuwc/XcofMaovXubUGyEV3R uWSz6XI1QFQOxWLzgj16V0j9bBpVV/vWCgd6Gv3ybixwQFI4biyjAX07LoBt7GIp 3o3ZGH+TM4dABZkmiA/gDibyQ4BztlPt9vUdjTAkRdUCkaUvdNovvR5bWIcrRK8c FRfWm7FCE9W6Ibo5QCpoDjjw5tavMQOVQQNyV6ePmHW113rGo6SwEMkK86xMQoxX 9jvoXdPUszrx0ZOKFBvayijPV11XvFZMxup6jL3cl70gRQz8JGnjOO3w1C/ddv1z RyDlH+i/MaGPxRcjDt65Azd3dEqrCA2eB8HQ/f2bCkRWMVCIg1FYab7s+Dj/OqIl RS/cPk1pX9zp5ef32qgvu4Y75rJ794cHGErp4yrMPtZsEFGQefNPjPA6Hq0D90eS soNLqpCvqAzdeo9viF8Bw4HCJJ1nVDbGu/L149qLB8q94nEi/U2+fla1AgR8wiql PHCSAO8n1WfHAbuVVbmjltHzBAQ9OAMxGhZgNOtUK1THxCKAhvgQFaDViYJO2Ic8 PnsEQ06DljZ9lDSJj039wlf2dPUM6lXBpqpRUsNTC9VC96IMNYr+Ce5k3nWE0x4J B4kkySOkEfeNRRVZpfcfkPflhw7sJC9EAM94Ws22f6uNVTRXX9cVe3cZuUO5JwoA cPaE5YW5Tzc= =vm/f -----END PGP SIGNATURE-----