Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 346697

Summary: <www-apps/horde-3.3.11: XSS Vulnerability
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: a3li
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.horde.org/archives/announce/2010/000574.html
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
build log none

Description Tim Sammut (RETIRED) gentoo-dev 2010-11-24 21:55:52 UTC 
From the Secunia advisory at http://secunia.com/advisories/42355/:

Certain unspecified input is not properly sanitised before being displayed to the user while viewing a vCard. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious vCard is being viewed.

Upstream has posted new versions of all three packages.

www-apps/horde: http://lists.horde.org/archives/announce/2010/000574.html
www-apps/horde-groupware: http://lists.horde.org/archives/announce/2010/000575.html
www-apps/horde-webmail: http://lists.horde.org/archives/announce/2010/000576.html
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-11-28 14:22:01 UTC 
Arches, please test and mark stable:
=www-apps/horde-3.3.11
Target keywords : "alpha amd64 hppa ppc sparc x86"
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-11-28 14:22:45 UTC 
horde-groupware and -webmail are masked due to the open issues and lack of maintainers.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-30 18:17:51 UTC 
Stable for HPPA.
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2010-12-02 13:26:19 UTC 
x86 stable
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2010-12-04 17:30:11 UTC 
alpha/sparc stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2010-12-07 20:46:34 UTC 
Stable for PPC.
Comment 7 blain 'Doc' Anderson 2010-12-19 11:43:20 UTC 
Created attachment 257536 [details]
build log
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-12-19 15:22:33 UTC 
Comment on attachment 257536 [details]
build log 

That's a log from webapp-config and has nothing to do with horde. I suggest you file a new bug for that.
Comment 9 Markos Chandras (RETIRED) gentoo-dev 2010-12-29 15:36:40 UTC 
amd64 done
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2010-12-29 19:03:44 UTC 
Thanks, folks. Closing noglsa for WebApp XSS.