Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 237362 (CVE-2008-3823)

Summary: www-apps/horde <= 3.2.1 (including 3.1.8) XSS vulnerabilities (CVE-2008-{3823,3824})
Product: Gentoo Security Reporter: Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: wrobel
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.securityfocus.com/archive/1/496182/30/0/threaded
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2008-09-10 18:07:34 UTC 
Two cross-site scripting (XSS) vulnerabilities were reported in Horde
Framework. The first of which is that the Horde framework fails to properly
sanitize the filename of MIME attachments on received emails.  The second
vulnerability has a wider impact.

Patches are available. For full information please see attached URL.
Comment 1 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-15 11:40:59 UTC 
Horde-3.1.9 and Horde-3.2.2 are in the tree. 

Targets for horde-3.1.9:

  alpha amd64 hppa ppc sparc x86
Comment 2 Ferris McCormick (RETIRED) gentoo-dev 2008-09-15 12:16:24 UTC 
Sparc stable for www-apps/horde-3.1.9.  If you wanted 3.2.2 as well, please add us back.
Comment 3 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-15 14:04:58 UTC 
Both horde-webmail and horde-groupware bundle the horde packages and have been updated to horde-webmail-1.0.8, -1.1.3 and horde-groupware-1.0.7, -1.1.3.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-09-15 14:50:16 UTC 
Thanks for bumping. Stable targets is solely
=www-apps/horde-3.1.9
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2008-09-16 00:56:00 UTC 
Stable for HPPA.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-09-16 02:28:03 UTC 
CVE-2008-3823 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3823):
  Cross-site scripting (XSS) vulnerability in MIME/MIME/Contents.php in
  the MIME library in Horde 3.2.x before 3.2.2 allows remote attackers
  to inject arbitrary web script or HTML via the filename of a MIME
  attachment in an e-mail message.

CVE-2008-3824 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3824):
  Cross-site scripting (XSS) vulnerability in (1)
  Text_Filter/Filter/xss.php in Horde 3.1.x before 3.1.9 and 3.2.x
  before 3.2.2 and (2) externalinput.php in Popoon r22196 and earlier
  allows remote attackers to inject arbitrary web script or HTML by
  using / (slash) characters as replacements for spaces in an HTML
  e-mail message.
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-09-17 08:29:45 UTC 
alpha/x86 stable
Comment 8 Markus Meier gentoo-dev 2008-09-17 20:16:05 UTC 
amd64 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-19 18:52:42 UTC 
ppc stable
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-19 19:58:05 UTC 
time for GLSA decision, i vote NO.
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-22 12:38:25 UTC 
NO too, closing.