Chora vulnerability is fixed for three months
Michael Wallner wrote a blog entry about a vulnerability in Chora, Horde's CVS viewer. This vulnerability has been fixed already three months ago.Michael Wallner wrote in this blog entry about a remote execution vulnerabiltiy in Chora 1.2. If you expose a vulnerabilty, especially a remotely executable one, to the public, you should follow at least the most basic requirements. His entry is at best confusing, so here are some hard facts:
- In case you wondered, Michael didn't discover this vulnerability. It was reported by Stefan Esser on June 12th to the Horde team.
- All versions up to and including Chora 1.2.1 are affected, not only Chora 1.2
- A fixed version, Chora 1.2.2 was released and announced on the same day. It is debateable if this was a good idea, you probably should not release security fixes on weekends, even if you leave this hole open for another one or two days.
- http://cvs.php.net was updated at the same time.
- Stefan Esser released a Security Advisory on the next day, June 13rd.