Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 346697 - <www-apps/horde-3.3.11: XSS Vulnerability
Summary: <www-apps/horde-3.3.11: XSS Vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://lists.horde.org/archives/annou...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-11-24 21:55 UTC by Tim Sammut (RETIRED)
Modified: 2010-12-29 19:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
build log (build.log,6.85 KB, text/plain)
2010-12-19 11:43 UTC, blain 'Doc' Anderson 		no flags Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-11-24 21:55:52 UTC 
From the Secunia advisory at http://secunia.com/advisories/42355/:

Certain unspecified input is not properly sanitised before being displayed to the user while viewing a vCard. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious vCard is being viewed.

Upstream has posted new versions of all three packages.

www-apps/horde: http://lists.horde.org/archives/announce/2010/000574.html
www-apps/horde-groupware: http://lists.horde.org/archives/announce/2010/000575.html
www-apps/horde-webmail: http://lists.horde.org/archives/announce/2010/000576.html
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-11-28 14:22:01 UTC 
Arches, please test and mark stable:
=www-apps/horde-3.3.11
Target keywords : "alpha amd64 hppa ppc sparc x86"
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-11-28 14:22:45 UTC 
horde-groupware and -webmail are masked due to the open issues and lack of maintainers.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-30 18:17:51 UTC 
Stable for HPPA.
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2010-12-02 13:26:19 UTC 
x86 stable
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2010-12-04 17:30:11 UTC 
alpha/sparc stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2010-12-07 20:46:34 UTC 
Stable for PPC.
Comment 7 blain 'Doc' Anderson 2010-12-19 11:43:20 UTC 
Created attachment 257536 [details]
build log
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-12-19 15:22:33 UTC 
Comment on attachment 257536 [details]
build log 

That's a log from webapp-config and has nothing to do with horde. I suggest you file a new bug for that.
Comment 9 Markos Chandras (RETIRED) gentoo-dev 2010-12-29 15:36:40 UTC 
amd64 done
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2010-12-29 19:03:44 UTC 
Thanks, folks. Closing noglsa for WebApp XSS.