[announce] [SECURITY] Remote execution backdoor after server hack (CVE-2012-0209)
jan at horde.org
Mon Feb 13 14:27:50 UTC 2012
Dear Horde users,
a few days ago we became aware of a manipulated file on our FTP
server. Upon further investigation we discovered that the server has
been hacked earlier, and three releases have been manipulated to allow
unauthenticated remote PHP execution.
We have immediately taken down all distribution servers to further
analyze the extent of this incident, and we have worked closely with
various Linux distributions to coordinate our response.
Since then the FTP and PEAR servers have been replaced and further
secured. Clean versions of our releases have been uploaded.
This issue will be tracked as CVE-2012-0209:
We have been able to limit the manipulation to three files downloaded
during a certain timeframe. The affected releases are:
- Horde 3.3.12 downloaded between November 15 and February 7
- Horde Groupware 1.2.10 downloaded between November 9 and February 7
- Horde Groupware Webmail Edition 1.2.10 downloaded between November 2
and February 7
No other releases have been affected. Specifically, no Horde 4
releases were compromised. Our CVS and Git repositories are not
affected either. Linux distributions that are affected will notify and
provide security releases individually.
If you are not sure whether you are affected or want to verify
manually whether you are affected, you can search for this signature
in your Horde directory tree:
We recommend that all users of the affected version immediately
re-install using fresh copies downloaded from our FTP server, or to
upgrade to the more recent versions that have been released since
then. This is a list of suggested replacements and their MD5 checksums:
If you are running Horde 4, you don't need to do anything.
We apologize for the inconvenience and assure you that we are
undertaking a full security review of our procedures to prevent this
kind of incident from happening again.
If you have further questions, please ask on the Horde mailing list:
The Horde Project
More information about the announce