[prev in list] [next in list] [prev in thread] [next in thread] 

List:       horde-announce
Subject:    [announce] [SECURITY] RCE vulnerability in Horde_Image
From:       Jan Schneider <jan () horde ! org>
Date:       2017-09-21 14:08:41
Message-ID: 20170921140841.Horde.g11oCdaEk30S7g2GrSzryBz () neo ! fritz ! box
[Download RAW message or body]

Hello,

a Remote Code Execution vulnerability has been found in the  
Horde_Image library when using the "Im" backend that utilizes  
ImageMagick's "convert" utility. It's not exploitable through any  
Horde application, because the code path to the vulnerability is not  
used by any Horde code. Custom applications using the Horde_Image  
library might be affected though. This vulnerability affects all  
versions of Horde_Image from 2.0.0 to 2.5.1.

A fixed version of the Horde_Image (version 2.5.2) library has already  
been released and everybody is advised to upgrade to Horde_Image 2.5.2  
as soon as possible.

Thanks to long-time contributor and supporter Thomas Jarosch  
<thomas.jarosch@intra2net.com> for discovering and reporting these  
vulnerabilities.

-- 
Jan Schneider
The Horde Project
https://www.horde.org/

-- 
Horde announcements mailing list
You are subscribed to this list as: horde-announce@progressive-comp.com
To unsubscribe, mail: announce-unsubscribe@lists.horde.org
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic