A few days ago we became aware of a manipulated file on our FTP server. Upon further investigation we discovered that the server has been hacked earlier, and three releases have been manipulated to allow unauthenticated remote PHP execution.
We have immediately taken down all distribution servers to further analyze the extent of this incident, and we have worked closely with various Linux distributions to coordinate our response.
Since then the FTP and PEAR servers have been replaced and further secured. Clean versions of our releases have been uploaded.
This issue will be tracked as CVE-2012-0209: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0209
We have been able to limit the manipulation to three files downloaded during a certain timeframe. The affected releases are:
- Horde 3.3.12 downloaded between November 15 and February 7
- Horde Groupware 1.2.10 downloaded between November 9 and February 7
- Horde Groupware Webmail Edition 1.2.10 downloaded between November 2 and February 7
No other releases have been affected. Specifically, no Horde 4 releases were compromised. Our CVS and Git repositories are not affected either. Linux distributions that are affected will notify and provide security releases individually.
If you are not sure whether you are affected or want to verify manually whether you are affected, you can search for this signature in your Horde directory tree:
We recommend that all users of the affected version immediately re-install using fresh copies downloaded from our FTP server, or to upgrade to the more recent versions that have been released since then. This is a list of suggested replacements and their MD5 checksums:
If you are running Horde 4, you don't need to do anything.
We apologize for the inconvenience and assure you that we are undertaking a full security review of our procedures to prevent this kind of incident from happening again.
If you have further questions, please ask on the Horde mailing list: http://www.horde.org/community/mail
We did not ship version 3.3.12 in Fedora or EPEL.
(In reply to comment #1)
> We did not ship version 3.3.12 in Fedora or EPEL.
Horde 3.3.12 was previously available in Fedora Rawhide. I was added there in August 2011, i.e. before source tarballs were compromised on the upstream FTP server. MD5 checksum of the source that was imported is bc04ce4499af24a403429c81d0a8afcf: