CVE-2010-0463 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0463): Horde IMP 4.3.6 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.
From http://bugs.horde.org/ticket/8836#c14 Fixed in IMP 4.3.8 and DIMP 1.1.5 (MIMP does not need this fix because MIMP 1.x does not generate links in message content).
Please provide an updated ebuild!
not yet released...
IMP 4.3.8 and DIMP 1.1.5 were released: http://lists.horde.org/archives/announce/2010/000558.html http://lists.horde.org/archives/announce/2010/000561.html Ebuilds will be added shortly.
Arches, please test and mark stable: =www-apps/horde-dimp-1.1.5 Target keywords : "amd64 x86" =www-apps/horde-imp-4.3.8 Target keywords : "alpha amd64 hppa ppc sparc x86"
Horde IMP 4.3.8 looks to also fix an XSS as described in: http://seclists.org/fulldisclosure/2010/Sep/373 The fix is at: http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde&r1=1.39.4.10&r2=1.39.4.11 I do not see a CVE for this.
I tested the following things together on x86 with apache (dev-lang/php-5.2.14) and my dovecot imap server. I've seen no problems at all! :-) www-apps/horde-3.3.9 Bug #336319 www-apps/horde-imp-4.3.8 Bug #307759 www-apps/horde-dimp-1.1.5 Bug #307759 www-apps/horde-gollem-1.1.2 Bug #339168
Stable on alpha.
amd64 done
x86 stable, thanks Andreas
ppc done
sparc stable
Stable for HPPA.
GLSA Vote: No.
it seems you can close this bug
GLSA vote: no. Closing noglsa.