Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 28 Aug 2014 13:13:30 +0200
From: Robert Scheck <robert@...oraproject.org>
To: Open Source Security Mailing List <oss-security@...ts.openwall.com>
Subject: Zarafa WebApp < 1.6 affected by CVE-2010-4207 or CVE-2012-5881

Hello,

I discovered that Zarafa WebApp < 1.6 is affected by CVE-2010-4207 or
CVE-2012-5881 (depends on WebApp version) as it bundles charts.swf by
YUI, see http://yuilibrary.com/support/20121030-vulnerability/ for the
list of affected md5sums.

[root@tux ~]# rpm -q zarafa-webapp
zarafa-webapp-1.5-44025.noarch
[root@tux ~]#

[root@tux ~]# rpm -ql zarafa-webapp | grep charts.swf | xargs md5sum
923c8afe50fc45ed42d92d6ab83b11f6 /usr/share/zarafa-webapp/client/extjs/resources/charts.swf
[root@tux ~]#

I don't know how to abuse this but upstream notice "This defect allows
JavaScript injection exploits to be created against domains that host
these affected .swf files, whether or not the .swf files are embedded
in your application." seems to be important enough for this heads up.

Given that Zarafa WebApp 1.6 (final release) happened on 2014-07-21
there might be distributions/downstreams still shipping Zarafa WebApp
1.5. Zarafa WebApp does not use that file so removing it on packaging
level is fine. Fedora is not affected; it doesn't ship Zarafa WebApp.


With kind regards

Robert Scheck
-- 
Fedora Project * Fedora Ambassador * Fedora Mentor * Fedora Packager

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.