Summary: | www-apps/horde <= 3.2.1 (including 3.1.8) XSS vulnerabilities (CVE-2008-{3823,3824}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Paweł Hajdan, Jr. (RETIRED) <phajdan.jr> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | wrobel |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.securityfocus.com/archive/1/496182/30/0/threaded | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Paweł Hajdan, Jr. (RETIRED)
2008-09-10 18:07:34 UTC
Horde-3.1.9 and Horde-3.2.2 are in the tree. Targets for horde-3.1.9: alpha amd64 hppa ppc sparc x86 Sparc stable for www-apps/horde-3.1.9. If you wanted 3.2.2 as well, please add us back. Both horde-webmail and horde-groupware bundle the horde packages and have been updated to horde-webmail-1.0.8, -1.1.3 and horde-groupware-1.0.7, -1.1.3. Thanks for bumping. Stable targets is solely =www-apps/horde-3.1.9 Stable for HPPA. CVE-2008-3823 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3823): Cross-site scripting (XSS) vulnerability in MIME/MIME/Contents.php in the MIME library in Horde 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via the filename of a MIME attachment in an e-mail message. CVE-2008-3824 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3824): Cross-site scripting (XSS) vulnerability in (1) Text_Filter/Filter/xss.php in Horde 3.1.x before 3.1.9 and 3.2.x before 3.2.2 and (2) externalinput.php in Popoon r22196 and earlier allows remote attackers to inject arbitrary web script or HTML by using / (slash) characters as replacements for spaces in an HTML e-mail message. alpha/x86 stable amd64 stable ppc stable time for GLSA decision, i vote NO. NO too, closing. |