307759 – (CVE-2010-0463) <www-apps/horde-{imp-4.3.8, dimp-1.1.5} DNS prefetching Information Disclosure (CVE-2010-0463)

Bug 307759 (CVE-2010-0463) - <www-apps/horde-{imp-4.3.8, dimp-1.1.5} DNS prefetching Information Disclosure (CVE-2010-0463)

Summary: <www-apps/horde-{imp-4.3.8, dimp-1.1.5} DNS prefetching Information Disclosur...

Status:	RESOLVED FIXED

Alias:	CVE-2010-0463

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://bugs.horde.org/ticket/8836
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2010-03-04 11:50 UTC by Alex Legler (RETIRED)
Modified:	2014-06-01 13:23 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Legler (RETIRED) archtester

2010-03-04 11:50:30 UTC

CVE-2010-0463 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0463):
  Horde IMP 4.3.6 and earlier does not request that the web browser
  avoid DNS prefetching of domain names contained in e-mail messages,
  which makes it easier for remote attackers to determine the network
  location of the webmail user by logging DNS requests.

Comment 1 Alex Legler (RETIRED) archtester

2010-07-14 20:13:25 UTC

From http://bugs.horde.org/ticket/8836#c14

Fixed in IMP 4.3.8 and DIMP 1.1.5 (MIMP does not need this fix because 
MIMP 1.x does not generate links in message content).

Comment 2 Stefan Behte (RETIRED) gentoo-dev

2010-08-01 13:44:27 UTC

Please provide an updated ebuild!

Comment 3 Alex Legler (RETIRED) archtester

2010-08-01 14:10:02 UTC

not yet released...

Comment 4 Alex Legler (RETIRED) archtester

2010-09-29 16:36:08 UTC

IMP 4.3.8 and DIMP 1.1.5 were released:
http://lists.horde.org/archives/announce/2010/000558.html
http://lists.horde.org/archives/announce/2010/000561.html

Ebuilds will be added shortly.

Comment 5 Alex Legler (RETIRED) archtester

2010-09-29 18:53:44 UTC

Arches, please test and mark stable:
=www-apps/horde-dimp-1.1.5
Target keywords : "amd64 x86"

=www-apps/horde-imp-4.3.8
Target keywords : "alpha amd64 hppa ppc sparc x86"

Comment 6 Tim Sammut (RETIRED) gentoo-dev

2010-09-30 19:52:47 UTC

Horde IMP 4.3.8 looks to also fix an XSS as described in:

http://seclists.org/fulldisclosure/2010/Sep/373

The fix is at:

http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde&r1=1.39.4.10&r2=1.39.4.11

I do not see a CVE for this.

Comment 7 Andreas Schürch gentoo-dev

2010-10-01 11:09:45 UTC

I tested the following things together on x86 with apache (dev-lang/php-5.2.14) and my dovecot imap server. I've seen no problems at all! :-)

www-apps/horde-3.3.9 Bug #336319
www-apps/horde-imp-4.3.8 Bug #307759
www-apps/horde-dimp-1.1.5 Bug #307759
www-apps/horde-gollem-1.1.2 Bug #339168

Comment 8 Tobias Klausmann (RETIRED) gentoo-dev

2010-10-02 14:54:06 UTC

Stable on alpha.

Comment 9 Markos Chandras (RETIRED) gentoo-dev

2010-10-03 16:33:10 UTC

amd64 done

Comment 10 Markus Meier gentoo-dev

2010-10-05 19:07:35 UTC

x86 stable, thanks Andreas

Comment 11 Brent Baude (RETIRED) gentoo-dev

2010-10-08 14:55:39 UTC

ppc done

Comment 12 Raúl Porcel (RETIRED) gentoo-dev

2010-10-10 17:07:34 UTC

sparc stable

Comment 13 Jeroen Roovers (RETIRED) gentoo-dev

2010-10-22 04:08:46 UTC

Stable for HPPA.

Comment 14 Tim Sammut (RETIRED) gentoo-dev

2010-11-19 19:09:55 UTC

GLSA Vote: No.

Comment 15 martin holzer 2011-04-29 10:48:13 UTC

it seems you can close this bug

Comment 16 Sean Amoss (RETIRED) gentoo-dev

2014-06-01 13:23:35 UTC

GLSA vote: no. 

Closing noglsa.