From Secunia: Some vulnerabilities have been reported in the Horde Application Framework, which can be exploited by malicious people to conduct script insertion and cross-site scripting attacks and by malicious users to compromise a vulnerable system. 1) An error within the form library when handling image form fields can be exploited to overwrite arbitrary local files. Successful exploitation requires that an application uses the affected image fields (e.g. Ansel or Turba) and that the attacker has write permissions. 2) An error exists within the MIME Viewer library when rendering unknown text parts. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site if malicious data is viewed. 3) The preferences system does not properly sanitise numeric preference types. This can be exploited to execute arbitrary HTML and script code in a user's browser session in contact of an affected site. Webmail and Groupware are affected by #2 and #3.
(In reply to comment #0) > Webmail and Groupware are affected by #2 and #3. > Cancel that. Both are vulnerable to all three issues. +*horde-3.3.5 (15 Sep 2009) + + 15 Sep 2009; Alex Legler <a3li@gentoo.org> +horde-3.3.5.ebuild: + Non-maintainer commit: Version bump for security bug 285052. +
Arches, please test and mark stable: =www-apps/horde-3.3.5 Target keywords : "alpha amd64 hppa ppc sparc x86"
Stable for HPPA.
+*horde-webmail-1.2.4 (16 Sep 2009) + + 16 Sep 2009; Alex Legler <a3li@gentoo.org> -horde-webmail-1.0.8.ebuild, + -horde-webmail-1.1.3.ebuild, -horde-webmail-1.2.ebuild, + +horde-webmail-1.2.4.ebuild: + Non-maintainer commit: Version bump for security bug 285052. Removing + vulnerable versions. Adding USE condition on the patch in SRC_URI. Fixing + homepage, closes bug 257694. + +*horde-groupware-1.2.4 (16 Sep 2009) + + 16 Sep 2009; Alex Legler <a3li@gentoo.org> -horde-groupware-1.2.3.ebuild, + +horde-groupware-1.2.4.ebuild: + Non-maintainer commit: Version bump for security bug 285052. Removing + vulnerable version. +
x86 stable
CVE-2009-3236 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3236): Unspecified vulnerability in the form library in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; allows remote attackers, with privileges to write to the address book, to overwrite arbitrary files via crafted "image form fields." CVE-2009-3237 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3237): Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; allow remote attackers to inject arbitrary web script or HTML via the (1) crafted number preferences that are not properly handled in the preference system (services/prefs.php), as demonstrated by the sidebar_width parameter; or (2) crafted unknown MIME "text parts" that are not properly handled in the MIME viewer library (config/mime_drivers.php).
amd64 stable
alpha/sparc stable
ppc stable
GLSA voting: yes
YES too, request filed.
GLSA 200911-01
