horde3 (3.1.1-1ubuntu0.1) dapper-security; urgency=low * SECURITY UPDATE: (LP: #203456) + Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with certain configurations, allows remote authenticated users to read and execute arbitrary files via ".." sequences and a null byte in the theme name. Fix directory traversal vulnerability in Registry.php which allows an attacker to read and execute arbitrary local files via crafted path sequences. * References + http://ftp.horde.org/pub/horde/patches/patch-horde-3.1.6-3.1.7.gz + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1284 + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470640 + http://www.debian.org/security/2008/dsa-1519 -- Emanuele Gentili Thu, 27 Mar 2008 16:05:35 +0100 horde3 (3.1.1-1) unstable; urgency=high [ Lionel Elie Mamane ] * New upstream version - Close remote arbitrary command execution hole (closes: #360023) * Really exclude {arch} directory from being installed in binary package. -- Lionel Elie Mamane Thu, 6 Apr 2006 19:14:56 +0200 horde3 (3.1-2) UNRELEASED; urgency=low [ Lionel Elie Mamane ] * Conflict with versions of turba2 we break compatibility with. (closes: #360231) -- Lionel Elie Mamane Fri, 31 Mar 2006 23:08:02 +0200 horde3 (3.1-1) unstable; urgency=low [ Lionel Elie Mamane ] * Tweak the "Admin interface disabled because insecure" message. [ Ola Lundqvist ] * Updated to upstream version 3.1, closes: #356186, #356526. With correction for CVE-2006-1260 file disclosure vulnerability. Closes: #358812. This version correct CVE-2005-4190 as well, closes: #354512. * Modified dependencies in order to support php5 and to support recent installations of php4, closes: #353612, #359700, #359208. -- Ola Lundqvist Tue, 28 Mar 2006 20:58:38 +0200 horde3 (3.0.9-3) unstable; urgency=low * Move to team maintainership. * Make sure that {arch} is not a part of installed dir. -- Ola Lundqvist Sun, 12 Mar 2006 21:40:35 +0100 horde3 (3.0.9-2) unstable; urgency=high * Correct fix for weatherdotcom. -- Ola Lundqvist Fri, 16 Dec 2005 20:50:01 +0100 horde3 (3.0.9-1) unstable; urgency=high * New upstream release that correct a cross site scripting vulnerability as described in CVE-2005-4190, closes: #342942. * Documented that horde is incompatible with php4 session.auto_start option in the README.Debian file, closes: #341695. * Added php-mail to recommends list, closes: #339135. * Applied a patch to make weatherdotcom work, closes: #342161. Thanks to Giuseppe Iuculano . * Documented how to add alias to apache config, closes: #306605. * Changed the initial config message slightly, closes: #341358. -- Ola Lundqvist Fri, 16 Dec 2005 17:51:15 +0100 horde3 (3.0.7-1) unstable; urgency=high * New upstream release. This version fix cross site scripting vulnerabilities (CVE-2005-3759), closes: #340323. -- Ola Lundqvist Tue, 22 Nov 2005 22:45:59 +0100 horde3 (3.0.6-1) unstable; urgency=low * New upstream release. * Added phpapi-20041030 to the supported api versions (to support php5), closes: #333155. * Fixed so files in etc are rewritten the same was as files in usr/share, closes: #319780. * Updated to standards version 3.6.2. * Corrected to new FSF address. -- Ola Lundqvist Sat, 5 Nov 2005 16:11:03 +0100 horde3 (3.0.5-4) unstable; urgency=low * Minor fix for README.Debian file. * Added suggests of php4-mhash, closes: #335913. * Corrected dependency on php4, closes: #329940. * Corrected problem with ispell and Brazilian Language, closes: #328155. Thanks to Jose Carlos Medeiros for the fix. -- Ola Lundqvist Sat, 5 Nov 2005 12:40:43 +0100 horde3 (3.0.5-3) unstable; urgency=high * Improved description on why horde3 is disabled by default. -- Ola Lundqvist Sun, 9 Oct 2005 12:54:43 +0200 horde3 (3.0.5-2) unstable; urgency=high * Configuration disabled by default, closes: #332290, #332289. * Removed some crap from the README.Debian file, closes: #332276. -- Ola Lundqvist Sat, 8 Oct 2005 21:10:48 +0200 horde3 (3.0.5-1) unstable; urgency=low * New upstream release, closes: #325146, #315571, #325727, #321490, #309729, #304186. * Added gollem to suggest list, closes: #325492. * Added webcpp, chora2, xlhtml, ppthtml, wv, source-highlight, enscript and rpm to suggest list, closes: #309657, #326066. * Patched config/mime_drivers.php.dist so that no /usr/local is used for programs that exist in Debian archive, closes: #309661. -- Ola Lundqvist Fri, 9 Sep 2005 22:53:15 +0200 horde3 (3.0.4-4) unstable; urgency=low * Added conflict on horde so removing horde do not cause configuration removal in horde3, closes: #307623. -- Ola Lundqvist Wed, 4 May 2005 23:08:08 +0200 horde3 (3.0.4-3) unstable; urgency=medium * Removed post* and pre* files becuase they contain nothing that should remain. * Fixed dependency problem, closes: #294026. * Added a note about configuration to README.Debian, closes: #304086. -- Ola Lundqvist Sun, 17 Apr 2005 14:27:31 +0200 horde3 (3.0.4-2) unstable; urgency=low * Fixed permission problem on log file. * Updated copyright file. It actually use LGPL and not GPL. * Removed unnecessary config dir in /etc/horde/horde3. -- Ola Lundqvist Sun, 10 Apr 2005 19:51:55 +0200 horde3 (3.0.4-1) unstable; urgency=low * New upstream release. -- Ola Lundqvist Mon, 4 Apr 2005 08:11:18 +0200 horde3 (3.0.3-1) unstable; urgency=low * New upstream release. Jose Carlos Medeiros have helped a lot with this version. -- Ola Lundqvist Thu, 17 Feb 2005 15:41:33 -0200 horde3 (3.0.2-1) unstable; urgency=low * New upstream release. * Cooperated with Roberto Sanchez in order to complete this version. -- Ola Lundqvist Fri, 7 Jan 2005 13:41:54 +0100 horde3 (3.0.1-1) unstable; urgency=low * New upstream release. -- Ola Lundqvist Thu, 6 Jan 2005 16:35:23 +0100 horde3 (3.0-1) unstable; urgency=low * Initial Release. -- Ola Lundqvist Sat, 1 Jan 2005 14:51:04 +0100