Debian Security Advisory

DLA-403-1 radicale -- LTS security update

Date Reported:
26 Jan 2016
Affected Packages:
radicale
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 809920.
In Mitre's CVE dictionary: CVE-2015-8747, CVE-2015-8748.
More information:

Several issues have been discovered by Unrud in Radicale, a calendar and addressbook server. A remote attacker could exploit these vulnerabilities and call arbitrary functions by sending crafted HTTP requests.

  • CVE-2015-8748

    Prevent regex injection in rights management. Prevent crafted HTTP request from calling arbitrary functions.

  • CVE-2015-8747

    The multifilesystem backend allows access to arbitrary files on all platforms. (Squeeze is not affected because the multifilesystem backend does not exist in this version.)

For Debian 6 Squeeze, these problems have been fixed in version 0.3-2+deb6u1.

We recommend that you upgrade your radicale packages.