Debian Security Advisory
DLA-403-1 radicale -- LTS security update
- Date Reported:
- 26 Jan 2016
- Affected Packages:
- radicale
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 809920.
In Mitre's CVE dictionary: CVE-2015-8747, CVE-2015-8748. - More information:
-
Several issues have been discovered by Unrud in Radicale, a calendar and addressbook server. A remote attacker could exploit these vulnerabilities and call arbitrary functions by sending crafted HTTP requests.
- CVE-2015-8748
Prevent regex injection in rights management. Prevent crafted HTTP request from calling arbitrary functions.
- CVE-2015-8747
The multifilesystem backend allows access to arbitrary files on all platforms. (Squeeze is not affected because the multifilesystem backend does not exist in this version.)
For Debian 6
Squeeze
, these problems have been fixed in version 0.3-2+deb6u1.We recommend that you upgrade your radicale packages.
- CVE-2015-8748