'Re: [oss-security] CVE request: Horde Gollem <1.1.2 XSS in view.php'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: Horde Gollem <1.1.2 XSS in view.php
From:       Alex Legler <a3li () gentoo ! org>
Date:       2010-09-30 21:58:39
Message-ID: 1285882843-sup-9076 () stingray
[Download RAW message or body]

Hey,

Excerpts from Moritz Muehlenhoff's message of Thu Sep 30 23:13:56 +0200 2010:
> 
> There appear to be quite a few new issues related to Horde and
> related packages. AFAICT the issues mentioned below are also new
> and haven't been assigned CVE IDs?
>

Right. I didn't finish wading through all Changesets. ;)

> Horde:
> http://lists.horde.org/archives/announce/2010/000568.html
>

From that link:
>     * Fixed an XSS vulnerability in util/icon_browser.php.

CVE-2010-3077. Also fixed in Horde Application Framework 3.3.9.

>     * Fixed an XSS vulnerability in the Fetchmail configuration.

CVE n/a. Also fixed in Horde IMP 4.3.8
Reference: http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde&r1=1.39.4.10&r2=1.39.4.11

>     * Fixed an XSS vulnerability when showing mailbox names.

CVE n/a. Also fixed in Horde DIMP 1.1.5
Reference: http://bugs.horde.org/ticket/9240

>     * Protected preference forms against CSRF attacks.

CVE n/a. Also fixed in Horde Application Framework 3.3.9.
Reference: http://secunia.com/advisories/39860


> Dimp (Dynamic Imp):
> http://lists.horde.org/archives/announce/2010/000561.html
>

Already handled above (mailbox name XSS)
 
> Imp4 
> http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0379.html
> 

Already handled above (fetchmail XSS)

Additionally, CVE-2010-0463 (DNS prefetching) was resolved in IMP 4.3.8
and DIMP 1.1.5.
Reference: http://bugs.horde.org/ticket/8836#c14

Finally, there is the Gollem XSS which just got CVE-2010-3447 from Josh.

This should now be the complete list of fixes in the latest Horde
updates (I hope). Josh, can you also assign CVEs to the rest of the
issues?

Thanks,
Alex
-- 
Alex Legler <a3li@gentoo.org>
Gentoo Security/Ruby

["signature.asc" (signature.asc)]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)

iEYEARECAAYFAkylCBYACgkQk+oqhfPAZGk5UQCeJs2v4+GKBj7E5AREgB9AnrLc
6lwAnA0RhHm0thzL4lcIPOJzJ6iRDirN
=yy3t
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic