[announce] [SECURITY] RCE vulnerability in Horde_Image
Jan Schneider
jan at horde.org
Thu Sep 21 14:08:41 UTC 2017
Hello,
a Remote Code Execution vulnerability has been found in the
Horde_Image library when using the "Im" backend that utilizes
ImageMagick's "convert" utility. It's not exploitable through any
Horde application, because the code path to the vulnerability is not
used by any Horde code. Custom applications using the Horde_Image
library might be affected though. This vulnerability affects all
versions of Horde_Image from 2.0.0 to 2.5.1.
A fixed version of the Horde_Image (version 2.5.2) library has already
been released and everybody is advised to upgrade to Horde_Image 2.5.2
as soon as possible.
Thanks to long-time contributor and supporter Thomas Jarosch
<thomas.jarosch at intra2net.com> for discovering and reporting these
vulnerabilities.
--
Jan Schneider
The Horde Project
https://www.horde.org/
More information about the announce
mailing list