Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 237362 (CVE-2008-3823) - www-apps/horde <= 3.2.1 (including 3.1.8) XSS vulnerabilities (CVE-2008-{3823,3824})
Summary: www-apps/horde <= 3.2.1 (including 3.1.8) XSS vulnerabilities (CVE-2008-{3823...
Status: RESOLVED FIXED
Alias: CVE-2008-3823
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/archive/...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-09-10 18:07 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2008-09-22 12:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2008-09-10 18:07:34 UTC
Two cross-site scripting (XSS) vulnerabilities were reported in Horde
Framework. The first of which is that the Horde framework fails to properly
sanitize the filename of MIME attachments on received emails.  The second
vulnerability has a wider impact.

Patches are available. For full information please see attached URL.
Comment 1 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-15 11:40:59 UTC
Horde-3.1.9 and Horde-3.2.2 are in the tree. 

Targets for horde-3.1.9:

  alpha amd64 hppa ppc sparc x86
Comment 2 Ferris McCormick (RETIRED) gentoo-dev 2008-09-15 12:16:24 UTC
Sparc stable for www-apps/horde-3.1.9.  If you wanted 3.2.2 as well, please add us back.
Comment 3 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-15 14:04:58 UTC
Both horde-webmail and horde-groupware bundle the horde packages and have been updated to horde-webmail-1.0.8, -1.1.3 and horde-groupware-1.0.7, -1.1.3.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-09-15 14:50:16 UTC
Thanks for bumping. Stable targets is solely
=www-apps/horde-3.1.9
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2008-09-16 00:56:00 UTC
Stable for HPPA.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-09-16 02:28:03 UTC
CVE-2008-3823 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3823):
  Cross-site scripting (XSS) vulnerability in MIME/MIME/Contents.php in
  the MIME library in Horde 3.2.x before 3.2.2 allows remote attackers
  to inject arbitrary web script or HTML via the filename of a MIME
  attachment in an e-mail message.

CVE-2008-3824 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3824):
  Cross-site scripting (XSS) vulnerability in (1)
  Text_Filter/Filter/xss.php in Horde 3.1.x before 3.1.9 and 3.2.x
  before 3.2.2 and (2) externalinput.php in Popoon r22196 and earlier
  allows remote attackers to inject arbitrary web script or HTML by
  using / (slash) characters as replacements for spaces in an HTML
  e-mail message.

Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-09-17 08:29:45 UTC
alpha/x86 stable
Comment 8 Markus Meier gentoo-dev 2008-09-17 20:16:05 UTC
amd64 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-19 18:52:42 UTC
ppc stable
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-19 19:58:05 UTC
time for GLSA decision, i vote NO.
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-22 12:38:25 UTC
NO too, closing.