[KLUG Members] Fw: [SECURITY] [DSA-126-1] Horde and IMP cross-site scripting attack
Richard Zimmerman
members@kalamazoolinux.org
Wed, 17 Apr 2002 09:37:11 -0500
I saw the following this morning in the Security Focus email group. I
know several of you use these packages so I'd thought I would forward it
along to you...
Richard
----- Original Message -----
From: "Wichert Akkerman" <wichert@wiggy.net>
To: <debian-security-announce@lists.debian.org>
Sent: Tuesday, April 16, 2002 10:34 AM
Subject: [SECURITY] [DSA-126-1] Horde and IMP cross-site scripting attack
> -----BEGIN PGP SIGNED MESSAGE-----
>
> - ------------------------------------------------------------------------
> Debian Security Advisory DSA-126-1 security@debian.org
> http://www.debian.org/security/ Wichert Akkerman
> April 16, 2002
> - ------------------------------------------------------------------------
>
>
> Package : imp
> Problem type : cross-site scripting (CSS)
> Debian-specific: no
>
>
> A cross-site scripting (CSS) problem was discovered in Horde and IMP (a
web
> based IMAP mail package). This was fixed upstream in Horde version 1.2.8
> and IMP version 2.2.8. The relevant patches have been back-ported to
> version 1.2.6-0.potato.5 of the horde package and version 2.2.6-0.potato.5
> of the imp package.
>
> This release also fixes a bug introduced by the php security fix from
> DSA-115-1: the php postgres support changed subtle which broke the
> postgres support from imp.
>
>
> wget url
> will fetch the file for you
> dpkg -i file.deb
> will install the referenced file.
>
>
> Debian GNU/Linux 2.2 alias potato
> - ---------------------------------
>
> Potato was released for alpha, arm, i386, m68k, powerpc and sparc.
>
> Source archives:
>
http://security.debian.org/dists/stable/updates/main/source/horde_1.2.6-0.po
tato.5.dsc
> MD5 checksum: b77256b8029270a8de5240e8a5533cae
>
http://security.debian.org/dists/stable/updates/main/source/horde_1.2.6-0.po
tato.5.tar.gz
> MD5 checksum: 85ec854ef905a906997088649a12d60c
>
http://security.debian.org/dists/stable/updates/main/source/imp_2.2.6-0.pota
to.5.dsc
> MD5 checksum: e8c010d3227f4c55e5b5c68b9921aee5
>
http://security.debian.org/dists/stable/updates/main/source/imp_2.2.6-0.pota
to.5.tar.gz
> MD5 checksum: a874af4a6ef5ef8b3e5fd59f40db13c2
>
> Architecture independent archives:
>
http://security.debian.org/dists/stable/updates/main/binary-all/horde_1.2.6-
0.potato.5_all.deb
> MD5 checksum: df0fe8f732da4edee3f78202c9e2127a
>
http://security.debian.org/dists/stable/updates/main/binary-all/imp_2.2.6-0.
potato.5_all.deb
> MD5 checksum: ffd216c15b27c1c3449512a5ccaa5af2
>
> These packages will be moved into the stable distribution on its next
> revision.
>
> - --
> - ------------------------------------------------------------------------
----
> apt-get: deb http://security.debian.org/ stable/updates main
> dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
> Mailing list: debian-security-announce@lists.debian.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
>
> iQB1AwUBPLxETqjZR/ntlUftAQH8eAL/XDyfPIO/SQf4yXRwmoBZ0N/VDXC6qOM4
> unkIHH+S/9H5PzMqrB+UqOa/8+Zfs4aYGbXIz+n0oRGyhkrDo0vb/thT8+WqaZRc
> 2CiLTCG2oXrv5D5wuDzDm7BR5TN7M4E+
> =9ml0
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>
Richard Zimmerman richard@knbpower.com
System Administrator ke4rit@earthlink.net
K&B Transport, Inc.
Elkhart, Indiana Advanced SKYWARN weather spotter
Look Listen and Live!
Support Operation Lifesaver
www.oli.org