Chora vulnerability is fixed for three months

Michael Wallner wrote a blog entry about a vulnerability in Chora, Horde's CVS viewer. This vulnerability has been fixed already three months ago.

Michael Wallner wrote in this blog entry about a remote execution vulnerabiltiy in Chora 1.2. If you expose a vulnerabilty, especially a remotely executable one, to the public, you should follow at least the most basic requirements. His entry is at best confusing, so here are some hard facts:
  1. In case you wondered, Michael didn't discover this vulnerability. It was reported by Stefan Esser on June 12th to the Horde team.
  2. All versions up to and including Chora 1.2.1 are affected, not only Chora 1.2
  3. A fixed version, Chora 1.2.2 was released and announced on the same day. It is debateable if this was a good idea, you probably should not release security fixes on weekends, even if you leave this hole open for another one or two days.
  4. was updated at the same time.
  5. Stefan Esser released a Security Advisory on the next day, June 13rd.