Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-403-1 radicale

Debian Security Advisory

DLA-403-1 radicale -- LTS security update

Date Reported:

26 Jan 2016

Affected Packages:

radicale

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 809920.
In Mitre's CVE dictionary: CVE-2015-8747, CVE-2015-8748.

More information:

Several issues have been discovered by Unrud in Radicale, a calendar and addressbook server. A remote attacker could exploit these vulnerabilities and call arbitrary functions by sending crafted HTTP requests.

• CVE-2015-8748

  Prevent regex injection in rights management. Prevent crafted HTTP request from calling arbitrary functions.

• CVE-2015-8747

  The multifilesystem backend allows access to arbitrary files on all platforms. (Squeeze is not affected because the multifilesystem backend does not exist in this version.)

For Debian 6 Squeeze, these problems have been fixed in version 0.3-2+deb6u1.

We recommend that you upgrade your radicale packages.