Bug 790877 (CVE-2012-0209) - CVE-2012-0209 Horde 3.3.12 backdoor found in source code
Summary: CVE-2012-0209 Horde 3.3.12 backdoor found in source code
Alias: CVE-2012-0209
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2012-02-15 15:52 UTC by Kurt Seifried
Modified: 2019-09-29 12:50 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-02-15 16:14:54 UTC

Attachments (Terms of Use)

Description Kurt Seifried 2012-02-15 15:52:08 UTC
From http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155

A few days ago we became aware of a manipulated file on our FTP server. Upon further investigation we discovered that the server has been hacked earlier, and three releases have been manipulated to allow unauthenticated remote PHP execution.
We have immediately taken down all distribution servers to further analyze the extent of this incident, and we have worked closely with various Linux distributions to coordinate our response.
Since then the FTP and PEAR servers have been replaced and further secured. Clean versions of our releases have been uploaded.

This issue will be tracked as CVE-2012-0209: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0209

We have been able to limit the manipulation to three files downloaded during a certain timeframe. The affected releases are:
- Horde 3.3.12 downloaded between November 15 and February 7
- Horde Groupware 1.2.10 downloaded between November 9 and February 7
- Horde Groupware Webmail Edition 1.2.10 downloaded between November 2 and February 7

No other releases have been affected. Specifically, no Horde 4 releases were compromised. Our CVS and Git repositories are not affected either. Linux distributions that are affected will notify and provide security releases individually.

If you are not sure whether you are affected or want to verify manually whether you are affected, you can search for this signature in your Horde directory tree:


We recommend that all users of the affected version immediately re-install using fresh copies downloaded from our FTP server, or to upgrade to the more recent versions that have been released since then. This is a list of suggested replacements and their MD5 checksums:

bc04ce4499af24a403429c81d0a8afcf ftp://ftp.horde.org/pub/horde/horde-3.3.12.tar.gz
5a0486a5f6f96a9957e770ddabe71b38 ftp://ftp.horde.org/pub/horde/horde-3.3.13.tar.gz
4bdab16c84513bbd9466cb0dc7464661 ftp://ftp.horde.org/pub/horde-groupware/horde-groupware-1.2.10.tar.gz
fed921b55a8f544fba806333502cd45d ftp://ftp.horde.org/pub/horde-groupware/horde-groupware-1.2.11.tar.gz
60e100c3e4ab59c01d30bf5eb813a182 ftp://ftp.horde.org/pub/horde-webmail/horde-webmail-1.2.10.tar.gz
6f735266449bfda2cce8b5067b16ff74 ftp://ftp.horde.org/pub/horde-webmail/horde-webmail-1.2.11.tar.gz

If you are running Horde 4, you don't need to do anything.

We apologize for the inconvenience and assure you that we are undertaking a full security review of our procedures to prevent this kind of incident from happening again.

If you have further questions, please ask on the Horde mailing list: http://www.horde.org/community/mail

Comment 1 Kurt Seifried 2012-02-15 16:14:54 UTC
We did not ship version 3.3.12 in Fedora or EPEL.

Comment 2 Tomas Hoger 2012-02-15 16:31:12 UTC
(In reply to comment #1)
> We did not ship version 3.3.12 in Fedora or EPEL.

Horde 3.3.12 was previously available in Fedora Rawhide.  I was added there in August 2011, i.e. before source tarballs were compromised on the upstream FTP server.  MD5 checksum of the source that was imported is bc04ce4499af24a403429c81d0a8afcf:


Note You need to log in before you can comment on or make changes to this bug.