Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 11 Apr 2013 15:12:51 +0200
From: Evert Pot <evert@...ftopsolutions.nl>
To: oss-security@...ts.openwall.com
Subject: SabreDAV security advisory (CVE-2013-1939)

# Local file exposure issue
Web: 
https://groups.google.com/forum/?fromgroups=#!topic/sabredav-discuss/ehOUu7wTSGQ


## CVE IDENTIFIERS
- CVE-2013-1939

## AFFECTED SOFTWARE
- SabreDAV < 1.6.8, < 1.7.6, < 1.8.4 running in Windows hosts. 

## DESCRIPTION

It was possible for authenticated users on to read any file on the local
filesystem, accessible by the webserver.

Thanks to Lukas Reschke for reporting this issue.

## RESOLUTION
Update to SabreDAV 1.6.9, 1.7.7 or 1.8.5 or turn off the 'Browser plugin'.

Zipballs:
http://code.google.com/p/sabredav/downloads/list

Or with composer:
composer update sabre/dav

Regards,
Evert Pot

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ