Description of problem: http://lists.horde.org/archives/announce/2008/000382.html Version-Release number of selected component (if applicable): horde-3.1.6 How reproducible: unknown
Packages are building in koji.
horde-3.1.7-1.fc8 has been submitted as an update for Fedora 8
horde-3.1.7-1.fc7 has been submitted as an update for Fedora 7
====================================================== Name: CVE-2008-1284 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1284 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20080310 Category: Reference: BUGTRAQ:20080307 Horde Webmail file inclusion proof of concept & patch. Reference: URL:http://www.securityfocus.com/archive/1/archive/1/489239/100/0/threaded Reference: BUGTRAQ:20080308 Re: Horde Webmail file inclusion proof of concept & patch. Reference: URL:http://www.securityfocus.com/archive/1/archive/1/489289/100/0/threaded Reference: MLIST:[announce] 20080307 Horde Groupware 1.0.5 (final) Reference: URL:http://lists.horde.org/archives/announce/2008/000383.html Reference: MLIST:[announce] 20080307 Horde Groupware Webmail Edition 1.0.6 (final) Reference: URL:http://lists.horde.org/archives/announce/2008/000384.html Reference: MLIST:[announce] 20080307 Horde 3.1.7 (final) Reference: URL:http://lists.horde.org/archives/announce/2008/000382.html Reference: BID:28153 Reference: URL:http://www.securityfocus.com/bid/28153 Reference: FRSIRT:ADV-2008-0822 Reference: URL:http://www.frsirt.com/english/advisories/2008/0822/references Reference: SECUNIA:29286 Reference: URL:http://secunia.com/advisories/29286 Reference: XF:horde-theme-file-include(41054) Reference: URL:http://xforce.iss.net/xforce/xfdb/41054 Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with certain configurations, allows remote authenticated users to read and execute arbitrary files via ".." sequences and a null byte in the theme name.
There is still old summary in waiting update. Is it a problem? https://admin.fedoraproject.org/updates/F8/pending/horde-3.1.7-1.fc8 https://admin.fedoraproject.org/updates/F7/pending/horde-3.1.7-1.fc7
horde-3.1.7-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
horde-3.1.7-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.