Date: Fri, 23 Nov 2012 12:25:27 -0500 (EST) From: Jan Lieskovsky <jlieskov@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org>, security@...de.org Subject: CVE Request -- kronolith: Two sets (3.0.17 && 3.0.18) of XSS flaws Hello Kurt, Steve, vendors, Horde upstream has recently released 3.0.18 version of Kronolith, the Horde calendar application, correcting one set of XSS flaws:  https://github.com/horde/horde/blob/d3dda2d47fad7eb128a0091e732cded0c2601009/kronolith/docs/CHANGES  http://lists.horde.org/archives/announce/2012/000836.html more exactly: * Set #1: [mms] SECURITY: Fix XSS vulnerabilities in the portal blocks. Upstream patch: http://git.horde.org/horde-git/-/commit/d865c564beb6e98532880aa51a04a79f3311cd1e References: ,  plus  https://bugzilla.redhat.com/show_bug.cgi?id=879684 Also previously (in version 3.0.17 yet another set of XSS flaws got corrected): * Set #2: [jan] SECURITY: Fix XSS vulnerabilities in tasks view and search view (Bug #11189). Upstream ticket:  http://bugs.horde.org/ticket/11189 Upstream patch:  http://git.horde.org/horde-git/-/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2 References: , , ,  Note: There isn't a Red Hat Bugzilla entry, since the kronolith 2.x version based versions shipped, within Fedora / Fedora EPEL weren't vulnerable to this problem yet. Look at MITRE CVE database for kronolith:  http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=kronolith suggests the last security flaws, a CVE ids has been assigned to, were the following two: * v2.2-RC2 -------- [jan] SECURITY: Fix privilege escalation in Horde API. => CVE-2008-7218 [cjh] SECURITY: Fix missing ownership validation on share changes => CVE-2008-7219 so both of sets of the XSS issues (Set #1, Set #2) should still be lacking (two) CVE identifiers. Could you allocate them? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ