Date: Fri, 23 Nov 2012 12:25:27 -0500 (EST) From: Jan Lieskovsky <jlieskov@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org>, security@...de.org Subject: CVE Request -- kronolith: Two sets (3.0.17 && 3.0.18) of XSS flaws Hello Kurt, Steve, vendors, Horde upstream has recently released 3.0.18 version of Kronolith, the Horde calendar application, correcting one set of XSS flaws:  https://github.com/horde/horde/blob/d3dda2d47fad7eb128a0091e732cded0c2601009/kronolith/docs/CHANGES  http://lists.horde.org/archives/announce/2012/000836.html more exactly: * Set #1: [mms] SECURITY: Fix XSS vulnerabilities in the portal blocks. Upstream patch: http://git.horde.org/horde-git/-/commit/d865c564beb6e98532880aa51a04a79f3311cd1e References: ,  plus  https://bugzilla.redhat.com/show_bug.cgi?id=879684 Also previously (in version 3.0.17 yet another set of XSS flaws got corrected): * Set #2: [jan] SECURITY: Fix XSS vulnerabilities in tasks view and search view (Bug #11189). Upstream ticket:  http://bugs.horde.org/ticket/11189 Upstream patch:  http://git.horde.org/horde-git/-/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2 References: , , ,  Note: There isn't a Red Hat Bugzilla entry, since the kronolith 2.x version based versions shipped, within Fedora / Fedora EPEL weren't vulnerable to this problem yet. Look at MITRE CVE database for kronolith:  http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=kronolith suggests the last security flaws, a CVE ids has been assigned to, were the following two: * v2.2-RC2 -------- [jan] SECURITY: Fix privilege escalation in Horde API. => CVE-2008-7218 [cjh] SECURITY: Fix missing ownership validation on share changes => CVE-2008-7219 so both of sets of the XSS issues (Set #1, Set #2) should still be lacking (two) CVE identifiers. Could you allocate them? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.