This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes

Bug 790877 (CVE-2012-0209)

Summary: CVE-2012-0209 Horde 3.3.12 backdoor found in source code
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: maurizio.antillon, nb, tibbs
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120213,reported=20120312,source=internet,cvss2=6.4/AV:N/AC:L/Au:N/C:P/I:P/A:N,fedora-all/horde=notaffected,epel-all/horde=notaffected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-15 11:14:54 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Kurt Seifried 2012-02-15 10:52:08 EST

A few days ago we became aware of a manipulated file on our FTP server. Upon further investigation we discovered that the server has been hacked earlier, and three releases have been manipulated to allow unauthenticated remote PHP execution.
We have immediately taken down all distribution servers to further analyze the extent of this incident, and we have worked closely with various Linux distributions to coordinate our response.
Since then the FTP and PEAR servers have been replaced and further secured. Clean versions of our releases have been uploaded.

This issue will be tracked as CVE-2012-0209:

We have been able to limit the manipulation to three files downloaded during a certain timeframe. The affected releases are:
- Horde 3.3.12 downloaded between November 15 and February 7
- Horde Groupware 1.2.10 downloaded between November 9 and February 7
- Horde Groupware Webmail Edition 1.2.10 downloaded between November 2 and February 7

No other releases have been affected. Specifically, no Horde 4 releases were compromised. Our CVS and Git repositories are not affected either. Linux distributions that are affected will notify and provide security releases individually.

If you are not sure whether you are affected or want to verify manually whether you are affected, you can search for this signature in your Horde directory tree:


We recommend that all users of the affected version immediately re-install using fresh copies downloaded from our FTP server, or to upgrade to the more recent versions that have been released since then. This is a list of suggested replacements and their MD5 checksums:


If you are running Horde 4, you don't need to do anything.

We apologize for the inconvenience and assure you that we are undertaking a full security review of our procedures to prevent this kind of incident from happening again.

If you have further questions, please ask on the Horde mailing list:
Comment 1 Kurt Seifried 2012-02-15 11:14:54 EST
We did not ship version 3.3.12 in Fedora or EPEL.
Comment 2 Tomas Hoger 2012-02-15 11:31:12 EST
(In reply to comment #1)
> We did not ship version 3.3.12 in Fedora or EPEL.

Horde 3.3.12 was previously available in Fedora Rawhide.  I was added there in August 2011, i.e. before source tarballs were compromised on the upstream FTP server.  MD5 checksum of the source that was imported is bc04ce4499af24a403429c81d0a8afcf:;a=commitdiff;h=8a72c4ecee2f85530be09e9cc8e0fc0fda434c60#patch3