Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0645
php-horde-text-filter security update
22 February 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: php-horde-text-filter
Publisher: Debian
Operating System: Debian GNU/Linux
Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-26929
Original Bulletin:
https://www.debian.org/lts/security/2021/dla-2564
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running php-horde-text-filter check for an updated version of the
software for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -----------------------------------------------------------------------
Debian LTS Advisory DLA-2564-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
February 18, 2021 https://wiki.debian.org/LTS
- - -----------------------------------------------------------------------
Package : php-horde-text-filter
Version : 2.3.5-1+deb9u1
CVE ID : CVE-2021-26929
Debian Bug : 982769
Alex Birnberg discovered a cross-site scripting (XSS) vulnerability in
the Horde Application Framework, more precisely its Text Filter API.
An attacker could take control of a user's mailbox by sending a
crafted e-mail.
CVE-2021-26929
An XSS issue was discovered in Horde Groupware Webmail Edition
(where the Horde_Text_Filter library is used). The attacker can
send a plain text e-mail message, with JavaScript encoded as a
link or email that is mishandled by preProcess in Text2html.php,
because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes
with XSS defenses.
For Debian 9 stretch, this problem has been fixed in version
2.3.5-1+deb9u1.
We recommend that you upgrade your php-horde-text-filter packages.
For the detailed security status of php-horde-text-filter please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-horde-text-filter
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmAvX2kACgkQgj6WdgbD
S5Y68xAA2eFhzA1XL4/b3dWtrKX+lboZGGxxuIN8sD7RqkYsTyDRYNX+rAzwC6hh
YCwtx+4iCgGwhZGdUzKzSTmcBaOlB3ZZBFmj1zyPYpZyUo6RnMmkqeq7P1TG1DKy
EbUPGD0I7Ltp1oJYhEaq1PI0pd+6DUOyKPac1Vic+U2VRKCShPZ//VOjmtVsTCWQ
49t30xKcXnYj/Y1kRaUqTw+upuxXpOUbJRctuGBotxt1n5sNDLF1blktFmFBwvut
q8rX6lNvszOgxuBnZaOQgePnUvfsIK/AxpSGEqf6zbs9kBwkDJ1MOkZpz2q+2qUa
2Y1ScCJam13ADVFzLav/Bp3XPQzYj4Gjh2cbhVkUK+mIlTfAAcpFFPAe3DYpi7bf
wiXYRBWXyXRCQDcCsLfRo/zbLcLB2NlYaiF5pNEWYiYBDPFq5ol88uIaT+TvGJbn
CFwQFWX9GXCr0pbL8/WkFxYiIZDXONzTWhm2u24OoG85pdCuO69DQnXazZCsH3gR
6TiNsCLJ+85xZV2JZvb7d5Gj15TtYbB3ns4xn55V/t50ezA8vj7ydTGL6mFCjQPM
dExx4/wo6GJ+DOXfERUjj6kIltNWrZw0/KAtmnvz4aJ+VJAQXOOguTnhKBlOXBAl
gz+cxyKGqxZAA/riPY4dSDUpuD+HiaQ7aCK5Gwy1T6c8/Yzshx8=
=br6E
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYDMjEuNLKJtyKPYoAQhaWQ//UV2weC/N3PUrk5pL/HPp9ctQ58BMA/0B
QbAKC0UQicVms/YWrlDnJOUQ8jZQMjE+8uLMbt1cNlO26J1jxtSAZlHKZ8X3bPFG
jThho9Hk1PzLW4pDwepfo5S8RGS1p0T0wnNxRydlKPQaALKwyQLTOEVB3pZh2G6K
IFGOeSe2bUns45r7Qb1vJd6TBlQi4rzcdHBGckCi+7pLef6TqIPZUydhkNourQqK
gu0/ea42pwh9dIOtxFKEGwh+9NxgkAX+B30QjrDpc9I6NoJ9ISDzQdy6PY4xn4Pr
SBbVLqqyApbHi1mGxA01jVj4k8wSeFmzxS+mTRDYLO8Ca7hHCiQpFkmPHcdWT1cl
57mPJQ7G9RNX0x4477YZGJpq3Tjp4x7drF6TqR/tZlP/Ko9NgzeqHXFIW5aRMclA
2KiBwlW9Kt0svjM5iLini+CdXPHal15+Hsr69wDlCc/7k8oLr6UDndU8urSGOa5q
1OZKJGtnejT5bQmhRi+f7o3G7Ep1N6S1VuiBKwer8GBaIeEIg6UxiwKXiFqaSqPr
rQzRo236OcRuV/WlxzenJc7gSaFE0Rg6MqTkAzIxCGyptNJ7lppk0X4aMRMwwhhI
lmXgT0c/VA95dvwEugerjVMb1A+nuUZfJyMZCmj7xD5mVX+HPm/bMYJ2tnRWn8It
jYgfahxnvyk=
=4nVM
-----END PGP SIGNATURE-----