Excerpt from my SANS email: 04.23.34 CVE: Not Available Platform: Web Application Title: Horde IMP Input Validation Vulnerability Description: Horde IMP is a web-based IMAP email interface written in PHP. Insufficient sanitization of email messages that contain malicious HTML or script code expose an arbitrary HTML injection and script execution issue. All current releases in the 3.x branch are affected. Ref: http://www.horde.org/imp/3.2/ I don't see anything specific on their site about what exactly causes this (might be in the Changlog when you download it). Version 3.2.4 is in portage, but marked ~arch on all arch's. Bug #53400 was the initial bug for getting it into portage, but no mention of the security fix.
moved 3.2.4 to stable and removed 3.2.3
GLSA drafted. Security please review. Bugtraq announcement can be found here: http://www.securityfocus.com/bid/10501/ Note: bug number 53862 does not appear in the ChangeLog
glsa 200406-11