Is Horde the mail/calendar system on the B3? If so, is this something to worry about?
http://www.idg.se/2.1085/1.432614/allva ... n-mjukvara
/Henrik
New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !
Horde vulnerability
Re: Horde vulnerability
For you who do not read Swedish you can find the official horde comment here http://dev.horde.org/h/jonah/stories/vi ... d=1&id=155
Re: Horde vulnerability
For you who post references but do not bother to read them yourselves you can see it is not relevant for the B3:
In other words: Nothing to see here. Please move along.
(This must be at least a 7.9 for those of the inner circle who know what I mean)
Horde in the B3 is older than 3 months so it is not affected.We have been able to limit the manipulation to three files downloaded during a certain timeframe. The affected releases are:
- Horde 3.3.12 downloaded between November 15 and February 7
- Horde Groupware 1.2.10 downloaded between November 9 and February 7
- Horde Groupware Webmail Edition 1.2.10 downloaded between November 2 and February 7
No other releases have been affected. Specifically, no Horde 4 releases were compromised. Our CVS and Git repositories are not affected either. Linux distributions that are affected will notify and provide security releases individually.
In other words: Nothing to see here. Please move along.
(This must be at least a 7.9 for those of the inner circle who know what I mean)
-
RandomUsername
- Posts: 904
- Joined: 09 Oct 2009, 18:49
Re: Horde vulnerability
As much as I hate to disagree with you, Ubi, I think you're being a bit unfair. I didn't know what version of Horde is installed on the B3 without looking (don't use it, so don't care) and there has just been an update that may have included an update to Horde.
Re: Horde vulnerability
Please do disagree with me. It's healthy!
But anyway, the version number of Horde present in the header of each PHP file of the Horde distro, so it is easily checked. Apart from that, there is not a single main-stream distro that ships major software packages within months from release. Least of all Debian.
In your defense though I can imagine novel users may not realize this last feat and indeed the Horde version is not verifiable from the B123 GUI. Ryz however is not a noob at all, he has shown he knows his way around the inner working of the B3 very well. So of him I think it is fair to expect to check the Horde version first instead of posting a needlessly alarming message that scares the less technical people who then flood the Excito helpdesk.
But anyway, the version number of Horde present in the header of each PHP file of the Horde distro, so it is easily checked. Apart from that, there is not a single main-stream distro that ships major software packages within months from release. Least of all Debian.
In your defense though I can imagine novel users may not realize this last feat and indeed the Horde version is not verifiable from the B123 GUI. Ryz however is not a noob at all, he has shown he knows his way around the inner working of the B3 very well. So of him I think it is fair to expect to check the Horde version first instead of posting a needlessly alarming message that scares the less technical people who then flood the Excito helpdesk.
Re: Horde vulnerability
Well first i do not own a B3 so this make it a little harder to check the version ( not impossible just a little bit harder). Secondly project do bug fix release that distros can pick up quite fast. Even if Debian is extremely careful to take in new stuff does not mean that Excito could have chosen to go for a new version which had fixed a sever bug they have experience in the B3. Third I do have very little time to do this kind of checking in day time so yes I did leave it up to others to do the check.
I still think it was better to post an English version of the bug report then do nothing since this meant that more people would now what to check to know if this did affect the B3 or not.
I do not by the don't scare the user so don't tell them about possible security issues until you are sure there is one.
I still think it was better to post an English version of the bug report then do nothing since this meant that more people would now what to check to know if this did affect the B3 or not.
I do not by the don't scare the user so don't tell them about possible security issues until you are sure there is one.