[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 403-1] radicale security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : radicale
Version        : 0.3-2+deb6u1
CVE ID         : CVE-2015-8747 CVE-2015-8748
Debian Bug     : 809920

Several issues have been discovered by Unrud in Radicale, a calendar
and addressbook server. A remote attacker could exploit these
vulnerabilities and call arbitrary functions by sending crafted HTTP
requests.


CVE-2015-8748
	Prevent regex injection in rights management.
	Prevent crafted HTTP request from calling arbitrary functions.


CVE-2015-8747
	The multifilesystem backend allows access to arbitrary files
        on all platforms. (Squeeze is not affected because the
        multifilesystem backend does not exist in this version.)


For Debian 6 "Squeeze", these problems have been fixed in version
0.3-2+deb6u1.

We recommend that you upgrade your radicale packages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJWp+cSXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkmJwQAMNX/RB07wNU+TsQfwooDEXk
+iKVYYeBANn0RV1wGH2gO/Kt4+qIf8RTWJpW93YzJitDeawlsZ8kKgWA1aufX1Zz
0sIqsngURac5OpgE2n+aLhScrvQxs8SYwCFhEz9vtXDBfgQT6E61wNvAsl9hPgTR
981m3hIkRCed7Pj265TLDu0gP4AMKokO8een2k37fUO6YavEur/BT8y3TMIwL26T
QHZrBip6nB8WTm5nyHmEfIhi05ldBnaw1sKnidB6QQF8FBZhHGfV8bjLMCf6CQUM
N37z9PYyCtZtkbAgj8t0MQLXNwI/PEi09xJP6seoD0suHUUfS0B20YjKKYjj0xvM
6hYOdBXQ9XqVURSOtKi40GclLoZEDMjDlqRp7wYazTQX3ZrY7YzVYODOWKUWqFdv
37840BXKbEEdA0ovgpMKUgUKXFrxfFXekAXVwdYsn8oBt7e/1Zv3Nlq1Mq/Jb80u
MFqx8NkNRU3cyBz3qzh7mAjNA+zQ3t6mhLoQs5EQ2JKAF7AdJnU72aM9BoZh9FR/
6ZdYJi9GW1Ctxvwy1W0Ac2fra2e/dpErklKxnf3FnzsJtvML3+/LEZ204d4x2ZC0
qPDggYcb3XZqtyTgFufvPt42rbNDH2vcWt9NFe8TqHevq2sIOW1KLE2MmGX84sJ6
FmTi7WIRMvcLW/hzIxAk
=Dc1M
-----END PGP SIGNATURE-----


Reply to: