|Main Archive Page > Month Archives > oss-security archives|
Excerpts from Moritz Muehlenhoff's message of Thu Sep 30 23:13:56 +0200 2010:
> There appear to be quite a few new issues related to Horde and
> related packages. AFAICT the issues mentioned below are also new
> and haven't been assigned CVE IDs?
Right. I didn't finish wading through all Changesets. ;)
>From that link:
> * Fixed an XSS vulnerability in util/icon_browser.php.
CVE-2010-3077. Also fixed in Horde Application Framework 3.3.9.
> * Fixed an XSS vulnerability in the Fetchmail configuration.
CVE n/a. Also fixed in Horde IMP 4.3.8
> * Fixed an XSS vulnerability when showing mailbox names.
CVE n/a. Also fixed in Horde DIMP 1.1.5
> * Protected preference forms against CSRF attacks.
CVE n/a. Also fixed in Horde Application Framework 3.3.9.
> Dimp (Dynamic Imp):
Already handled above (mailbox name XSS)
Already handled above (fetchmail XSS)
Additionally, CVE-2010-0463 (DNS prefetching) was resolved in IMP 4.3.8
and DIMP 1.1.5.
Finally, there is the Gollem XSS which just got CVE-2010-3447 from Josh.
This should now be the complete list of fixes in the latest Horde
updates (I hope). Josh, can you also assign CVEs to the rest of the
-- Alex Legler <email@example.com> Gentoo Security/Ruby