Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 23 Nov 2012 12:25:27 -0500 (EST)
From: Jan Lieskovsky <>
Cc: "Steven M. Christey" <>,
Subject: CVE Request -- kronolith: Two sets (3.0.17 && 3.0.18) of XSS flaws

Hello Kurt, Steve, vendors,

  Horde upstream has recently released 3.0.18 version
of Kronolith, the Horde calendar application, correcting
one set of XSS flaws:

more exactly:
* Set #1: [mms] SECURITY: Fix XSS vulnerabilities in the portal blocks.
  Upstream patch:
  References: [1], [2] plus [3]

Also previously (in version 3.0.17 yet another set of XSS flaws got corrected):
* Set #2: [jan] SECURITY: Fix XSS vulnerabilities in tasks view and search view (Bug #11189).  
  Upstream ticket: [4]
  Upstream patch:  [5]
  References: [1], [2], [4], [5]
  Note: There isn't a Red Hat Bugzilla entry, since the kronolith 2.x
        version based versions shipped, within Fedora / Fedora EPEL weren't
        vulnerable to this problem yet.

Look at MITRE CVE database for kronolith:

suggests the last security flaws, a CVE ids has been assigned to, were the
following two:
* v2.2-RC2

[jan] SECURITY: Fix privilege escalation in Horde API. => CVE-2008-7218
[cjh] SECURITY: Fix missing ownership validation on share changes => CVE-2008-7219

so both of sets of the XSS issues (Set #1, Set #2) should still be lacking
(two) CVE identifiers.

Could you allocate them?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ