Debian Security Advisory

DSA-1002-1 webcalendar -- several vulnerabilities

Date Reported:
15 Mar 2006
Affected Packages:
webcalendar
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 341208, Bug 342090.
In the Bugtraq database (at SecurityFocus): BugTraq ID 15606, BugTraq ID 15608, BugTraq ID 15662, BugTraq ID 15673.
In Mitre's CVE dictionary: CVE-2005-3949, CVE-2005-3961, CVE-2005-3982.
More information:

Several security related problems have been discovered in webcalendar, a PHP based multi-user calendar. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities:

  • CVE-2005-3949

    Multiple SQL injection vulnerabilities allow remote attackers to execute arbitrary SQL commands.

  • CVE-2005-3961

    Missing input sanitising allows an attacker to overwrite local files.

  • CVE-2005-3982

    A CRLF injection vulnerability allows remote attackers to modify HTTP headers and conduct HTTP response splitting attacks.

The old stable distribution (woody) does not contain webcalendar packages.

For the stable distribution (sarge) these problems have been fixed in version 0.9.45-4sarge3.

For the unstable distribution (sid) these problems have been fixed in version 1.0.2-1.

We recommend that you upgrade your webcalendar package.

Fixed in:

Debian GNU/Linux 3.1 (sarge)

Source:
http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge3.dsc
http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge3.diff.gz
http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45.orig.tar.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge3_all.deb

MD5 checksums of the listed files are available in the original advisory.