In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user’s preferences, and has enabled the “Should PGP signed messages be automatically verified when viewed?” preference. To exploit this vulnerability, an attacker can send a PGP signed email (that is maliciously crafted) to the Horde user, who then must either view or preview it.
Category Archives: Security
Security
CVE-2017-3204
The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.
CVE-2017-7413
In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur if the attacker is an authenticated Horde Webmail user, has PGP features enabled in their preferences, and attempts to encrypt an email addressed to a maliciously crafted email address.
libpng12-1.2.57-1.fc25
* Update to upstream release **1.2.57**.
* Fixes **CVE-2016-10087**.
libpng12-1.2.57-1.fc24
* Update to upstream release **1.2.57**.
* Fixes **CVE-2016-10087**.
libpng12-1.2.57-1.fc26
* Update to upstream release **1.2.57**.
* Fixes **CVE-2016-10087**.
libpng15-1.5.28-1.fc24
* Update to upstream release **1.5.28**.
* Fixes **CVE-2016-10087**.
libpng15-1.5.28-1.fc25
* Update to upstream release **1.5.28**.
* Fixes **CVE-2016-10087**.
mod_cluster-1.3.3-10.el7
Upgrade to 1.3.3 (current rawhide) and patch to change catalina deps
libupnp-1.6.21-1.el7
Long standing security bugs fixed through update to version 1.6.21.