Updated zarafa packages fix multiple vulnerabilities
Publication date: 22 Sep 2014Modification date: 22 Sep 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-0103 , CVE-2014-5447 , CVE-2014-5448 , CVE-2014-5449 , CVE-2014-5450
Description
Updated zarafa packages fix security vulnerabilities:
Robert Scheck reported that Zarafa's WebAccess stored session information,
including login credentials, on-disk in PHP session files. This session file
would contain a user's username and password to the Zarafa IMAP server
(CVE-2014-0103).
Robert Scheck discovered that the Zarafa Collaboration Platform has multiple
incorrect default permissions (CVE-2014-5447, CVE-2014-5448, CVE-2014-5449,
CVE-2014-5450).
References
- https://bugs.mageia.org/show_bug.cgi?id=13822
- https://lists.fedoraproject.org/pipermail/package-announce/2014-July/136033.html
- https://lists.fedoraproject.org/pipermail/package-announce/2014-August/137158.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0103
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5447
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5448
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5449
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5450
SRPMS
3/core
- zarafa-7.1.11-1.mga3
4/core
- zarafa-7.1.11-1.mga4