The first security update for Debian GNU/Linux 8 LTS has been released. Updated php-horde-image packages are available to address two remote code execution vulnerabilities.

Package : php-horde-image
Version : 2.1.0-4+deb8u1
CVE IDs : CVE-2017-9774 CVE-2017-14650
Debian Bugs : #865505 876400

It was discovered that there were two remote code execution
vulnerabilities in php-horde-image, the image processing library for the
Horde https://www.horde.org/ groupware tool:

* CVE-2017-9774: A remote code execution vulnerability (RCE) that was
exploitable by a logged-in user sending a maliciously crafted HTTP GET
request to various image backends.

Note that the fix applied upstream has a regression in that it ignores
the "force aspect ratio" option; see https://github.com/horde/Image/pull/1.

* CVE-2017-14650: Another RCE that was exploitable by a logged-in
user sending a maliciously crafted GET request specifically to the "im"
image backend.

For Debian 8 "Jessie", these issues have been fixed in php-horde-image
version 2.1.0-4+deb8u1.

We recommend that you upgrade your php-horde-image packages.

  PHP-Horde-Image Security Update for Debian 8 LTS