From ${URL} : A CSRF flaw was reported [1],[2] in the way Horde Groupware handled requests to change permissions. Due to a missing unique token in the form, an attacker with knowledge of the victim's name and address book ID could transmit unauthorized commands to Horde Groupware as the victim. This has been fixed in git. [3] [1] http://www.securityfocus.com/archive/1/529590 [2] http://bugs.horde.org/ticket/12804 [3] https://github.com/horde/horde/commit/b79114d08ee8c8e43e74a179741749529f6d885c @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
# Aaron Bauman <bman@gentoo.org> (05 Mar 2016) # Per security bug #399563, #489946, #489948, and # #490422 these packages are vulnerable # and unmaintained. Removal in 30 days. www-apps/horde www-apps/horde-chora www-apps/horde-dimp www-apps/horde-gollem www-apps/horde-hermes www-apps/horde-imp www-apps/horde-ingo www-apps/horde-jeta www-apps/horde-kronolith www-apps/horde-mimp www-apps/horde-mnemo www-apps/horde-nag www-apps/horde-passwd www-apps/horde-pear www-apps/horde-turba
Removed, here is the final commit among all the packages: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0360b9ce9b71fa3ac557e2665a7353481de2466a
