Operating System:

[Debian]

Published:

15 April 2020

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2020.1309 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1309
        php-horde-data security updates [DLA 2174-1 and DLA 2175-1]
                               15 April 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           php-horde-data
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-8865 CVE-2020-8518 

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2020/04/msg00008.html
   https://lists.debian.org/debian-lts-announce/2020/04/msg00009.html

Comment: This bulletin contains two (2) Debian security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

[DLA 2174-1] php-horde-data security update

Package        : php-horde-data
Version        : 2.1.0-5+deb8u1
CVE ID         : CVE-2020-8518
Debian Bug     : 951537


A remote code execution vulnerability was discovered in the Horde
Application Framework.  An authenticated remote attacker could use this
flaw to cause execution of uploaded CSV data.

For Debian 8 "Jessie", this problem has been fixed in version
2.1.0-5+deb8u1.

We recommend that you upgrade your php-horde-data packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- ------------------------------------------------------------------------------

[DLA 2175-1] php-horde-trean security update

Package        : php-horde-trean
Version        : 1.1.1-2+deb8u1
CVE ID         : CVE-2020-8865
Debian Bug     : 955019


A directory traversal vulnerability resulting from insufficient input
sanitization was discovered in the Horde Application Framework.  An
authenticated remote attacker could use this flaw to execute code in the
context of the web server user.

For Debian 8 "Jessie", this problem has been fixed in version
1.1.1-2+deb8u1.

We recommend that you upgrade your php-horde-trean packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXpafw2aOgq3Tt24GAQhzjw//WJwPK6A+cXLi23EaMYcSXgaMqvwX98cw
lGbSsNK0QSmowgr3SA9ufI/lRr1/UXNYzwlr67czEUbcqvKjy+hL4sbbQvE39ClV
Nju+zijhgGlsmpaRuRsDID8A0Dl0iVvNMcgZpMAuV0fD4QkaHmSb072lwdoCYn9G
RA+fITpcgzSYEFBwcAVXzVaf0+pimNbdLAtJ0PCTrqkiCZLESgJqAuTq40ij+Ic0
Qg/umXU5Wy+UW+dPw1bnR2+p3EZRmp5FTIkJGAGmNKrYPvuw5roTPinmkvIb2uOm
7We2UYcXGpCIuNWtbyll7X0GH5nwVRQuBFEJUZ4ykQ4ruizWgH2kDAJjIbBC1qgC
WrTdx/CKtHbVKMp/Cc+a1qdvWEco2H+efNXCygecCuuwfgh/w1KVl3fCuNin8B8p
rwzlyPfy3jxA7EZhAjxNKJ/0JBZx8fzAJjFiEsrV/xToMC5wnYCl0NWRiDXY0Sfx
rDcciuCF9gDX8v70jLIAHcDDrDHIxr9tlz8z17od6uCei0+zYXu+BvOIWVGTcgiJ
7Eq+HfnGAoNKigz+fIP5IovCgDrHC8PMNan1fUa6ieIx/26Da4yfySZMIIGf93Aj
plLGIaIWtvErEsFAlYGQgbQgDW5UAXLw/egWfqReVx3PDdnhb4I5TR4rX+CeXMGq
tjQffvOYZwk=
=LcwC
-----END PGP SIGNATURE-----