Debian Security Advisory
DLA-1395-1 php-horde-image -- LTS security update
- Date Reported:
- 22 Jun 2018
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 876400.
In Mitre's CVE dictionary: CVE-2017-9774, CVE-2017-14650.
- More information:
It was discovered that there were two remote code execution vulnerabilities in php-horde-image, the image processing library for the Horde https://www.horde.org/ groupware tool:
A remote code execution vulnerability (RCE) that was exploitable by a logged-in user sending a maliciously crafted HTTP GET request to various image backends.
Note that the fix applied upstream has a regression in that it ignores the
force aspect ratiooption; see https://github.com/horde/Image/pull/1.
Another RCE that was exploitable by a logged-in user sending a maliciously crafted GET request specifically to the
For Debian 8
Jessie, these issues have been fixed in php-horde-image version 2.1.0-4+deb8u1.
We recommend that you upgrade your php-horde-image packages.