Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0645 php-horde-text-filter security update 22 February 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: php-horde-text-filter Publisher: Debian Operating System: Debian GNU/Linux Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2021-26929 Original Bulletin: https://www.debian.org/lts/security/2021/dla-2564 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running php-horde-text-filter check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2564-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler February 18, 2021 https://wiki.debian.org/LTS - - ----------------------------------------------------------------------- Package : php-horde-text-filter Version : 2.3.5-1+deb9u1 CVE ID : CVE-2021-26929 Debian Bug : 982769 Alex Birnberg discovered a cross-site scripting (XSS) vulnerability in the Horde Application Framework, more precisely its Text Filter API. An attacker could take control of a user's mailbox by sending a crafted e-mail. CVE-2021-26929 An XSS issue was discovered in Horde Groupware Webmail Edition (where the Horde_Text_Filter library is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with XSS defenses. For Debian 9 stretch, this problem has been fixed in version 2.3.5-1+deb9u1. We recommend that you upgrade your php-horde-text-filter packages. For the detailed security status of php-horde-text-filter please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php-horde-text-filter Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmAvX2kACgkQgj6WdgbD S5Y68xAA2eFhzA1XL4/b3dWtrKX+lboZGGxxuIN8sD7RqkYsTyDRYNX+rAzwC6hh YCwtx+4iCgGwhZGdUzKzSTmcBaOlB3ZZBFmj1zyPYpZyUo6RnMmkqeq7P1TG1DKy EbUPGD0I7Ltp1oJYhEaq1PI0pd+6DUOyKPac1Vic+U2VRKCShPZ//VOjmtVsTCWQ 49t30xKcXnYj/Y1kRaUqTw+upuxXpOUbJRctuGBotxt1n5sNDLF1blktFmFBwvut q8rX6lNvszOgxuBnZaOQgePnUvfsIK/AxpSGEqf6zbs9kBwkDJ1MOkZpz2q+2qUa 2Y1ScCJam13ADVFzLav/Bp3XPQzYj4Gjh2cbhVkUK+mIlTfAAcpFFPAe3DYpi7bf wiXYRBWXyXRCQDcCsLfRo/zbLcLB2NlYaiF5pNEWYiYBDPFq5ol88uIaT+TvGJbn CFwQFWX9GXCr0pbL8/WkFxYiIZDXONzTWhm2u24OoG85pdCuO69DQnXazZCsH3gR 6TiNsCLJ+85xZV2JZvb7d5Gj15TtYbB3ns4xn55V/t50ezA8vj7ydTGL6mFCjQPM dExx4/wo6GJ+DOXfERUjj6kIltNWrZw0/KAtmnvz4aJ+VJAQXOOguTnhKBlOXBAl gz+cxyKGqxZAA/riPY4dSDUpuD+HiaQ7aCK5Gwy1T6c8/Yzshx8= =br6E - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYDMjEuNLKJtyKPYoAQhaWQ//UV2weC/N3PUrk5pL/HPp9ctQ58BMA/0B QbAKC0UQicVms/YWrlDnJOUQ8jZQMjE+8uLMbt1cNlO26J1jxtSAZlHKZ8X3bPFG jThho9Hk1PzLW4pDwepfo5S8RGS1p0T0wnNxRydlKPQaALKwyQLTOEVB3pZh2G6K IFGOeSe2bUns45r7Qb1vJd6TBlQi4rzcdHBGckCi+7pLef6TqIPZUydhkNourQqK gu0/ea42pwh9dIOtxFKEGwh+9NxgkAX+B30QjrDpc9I6NoJ9ISDzQdy6PY4xn4Pr SBbVLqqyApbHi1mGxA01jVj4k8wSeFmzxS+mTRDYLO8Ca7hHCiQpFkmPHcdWT1cl 57mPJQ7G9RNX0x4477YZGJpq3Tjp4x7drF6TqR/tZlP/Ko9NgzeqHXFIW5aRMclA 2KiBwlW9Kt0svjM5iLini+CdXPHal15+Hsr69wDlCc/7k8oLr6UDndU8urSGOa5q 1OZKJGtnejT5bQmhRi+f7o3G7Ep1N6S1VuiBKwer8GBaIeEIg6UxiwKXiFqaSqPr rQzRo236OcRuV/WlxzenJc7gSaFE0Rg6MqTkAzIxCGyptNJ7lppk0X4aMRMwwhhI lmXgT0c/VA95dvwEugerjVMb1A+nuUZfJyMZCmj7xD5mVX+HPm/bMYJ2tnRWn8It jYgfahxnvyk= =4nVM -----END PGP SIGNATURE-----