oss-security - Re: CVE Request -- Horde 3.3.5

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Tue, 15 Sep 2009 13:03:36 +0200
From: Alex Legler <a3li@...too.org>
To: oss-security@...ts.openwall.com
Cc: jlieskov@...hat.com, "Steven M. Christey" <coley@...us.mitre.org>,
 vuln@...unia.com
Subject: Re: CVE Request -- Horde 3.3.5

On Tue, 15 Sep 2009 12:39:45 +0200, Jan Lieskovsky
<jlieskov@...hat.com> wrote:

> Hello Steve, vendors,
> 
>    three security issues have been addressed within latest upstream
> Horde version (3.3.5).
> 

FYI: These issues also affect the Horde Groupware Edition and Horde
Groupware Webmail Edition.

Secunia has a dedicated advisory, SA369729 [1] for these. It mentions
that the two editions are only affected by the two XSS issues. This is
in accordance with upstream's release announcements.

However, the 1.2.4 release of both editions seem to be missing in that
advisory, both are vulnerable to all three issues, including the file
overwrite, according to the release announcements [2, 3].

Alex

[1] http://secunia.com/advisories/36729/
[2] http://marc.info/?l=horde-announce&m=125294558611682&w=2
[3] http://marc.info/?l=horde-announce&m=125295852706029&w=2

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.