Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 23 Nov 2012 12:25:27 -0500 (EST)
From: Jan Lieskovsky <>
Cc: "Steven M. Christey" <>,
Subject: CVE Request -- kronolith: Two sets (3.0.17 && 3.0.18) of XSS flaws

Hello Kurt, Steve, vendors,

  Horde upstream has recently released 3.0.18 version
of Kronolith, the Horde calendar application, correcting
one set of XSS flaws:

more exactly:
* Set #1: [mms] SECURITY: Fix XSS vulnerabilities in the portal blocks.
  Upstream patch:
  References: [1], [2] plus [3]

Also previously (in version 3.0.17 yet another set of XSS flaws got corrected):
* Set #2: [jan] SECURITY: Fix XSS vulnerabilities in tasks view and search view (Bug #11189).  
  Upstream ticket: [4]
  Upstream patch:  [5]
  References: [1], [2], [4], [5]
  Note: There isn't a Red Hat Bugzilla entry, since the kronolith 2.x
        version based versions shipped, within Fedora / Fedora EPEL weren't
        vulnerable to this problem yet.

Look at MITRE CVE database for kronolith:

suggests the last security flaws, a CVE ids has been assigned to, were the
following two:
* v2.2-RC2

[jan] SECURITY: Fix privilege escalation in Horde API. => CVE-2008-7218
[cjh] SECURITY: Fix missing ownership validation on share changes => CVE-2008-7219

so both of sets of the XSS issues (Set #1, Set #2) should still be lacking
(two) CVE identifiers.

Could you allocate them?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.