Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 23 Nov 2012 11:36:57 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>, security@...de.org
Subject: Re: CVE Request -- (Horde) IMP (prior v5.0.24-git):
 Obscure XSS issue when uploading attachments.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/23/2012 10:46 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> Horde upstream within Horde Groupware Webmail Edition version
> 4.0.9 release corrected also one XSS issue in IMP: [1]
> http://lists.horde.org/archives/announce/2012/000840.html * Mail
> changes: * Fixed obscure XSS issue when uploading attachments.
> 
> Upstream patch:
> https://github.com/horde/horde/commit/1550c6ecd7204f9579fcbb09ec7089e01b0771e2
>
> 
References:
https://github.com/horde/horde/blob/1550c6ecd7204f9579fcbb09ec7089e01b0771e2/imp/docs/CHANGES
> 
> Could you allocate a CVE id for this?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 
> P.S.: No Red Hat bugzilla entry available, since this issue did
> not affect versions of IMP, as shipped with Fedora / Fedora EPEL.
> 
> P.S.#2: The other XSS from [1]: Calendar changes: * Fixed XSS issue
> in portal blocks.
> 
> is already covered within my previous (Kronolith related) request.
> 

Please use CVE-2012-5565 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQr8JJAAoJEBYNRVNeJnmTPswP/2M1CsC7Iirut0OYhaQWjPEj
Qqvab1qDeKw8QyxASBOarOEEWpXbbIhJ6DrmdBxlnI7zZAAo/SFiQKqqFKw8J0t3
7DzKUzVk/HymGz8ZbtECW9DT116jDGGLXP9zhH+LGB39Q98woSE9Fzr0ZlgV6gmk
zwkurc/tb6xz03VQgceex8DwEn+Xm/7uFez3cxcK4zgy6AKUKIX3n9kbUIv8tpV6
mn41PaJojZ8sZMSzgIhcXz/0SYK0doA9oRvpyHWTQGE3gqF1rtz2kxYVNNg2VnAf
udQ7jPHQTh8Wb5O47Uhgw/m1ywvys8V1Kh+5KcSBAmjFsctFBoPKjs+vEOqia+EM
fb3QDRtastF3WiRUbtnCQEPvXA/DEOnt9Za5cvstofxThIMhtzYInKbnUws1SMeI
c/z+Z3386DI4L7mbb0cOBlEGE/4PEvoohu7uueKsKE7Rc1bNYJvjuAWA8QkCBrcW
LwedfuXoeO6zBH6lx1H65/XfNXFvL9fqlCKhEv8i9129zcAbbIWZNwxi46kAtP6Q
m4NvvowC68HOCeMrr3Tz10JEZvLfmsveoR2X219wa4vZJk6Z7pkHBAocI2qMbEaM
YbSO0I1URvtCYH2OCMFLMiMJBuurBBrZ82QwM5GkN1dypNnGSSL3r6UzJvbCnRHe
vTbrDfwM5z4P2JjrSxpV
=G5Z1
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ