oss-sec mailing list archives

Re: CVE Request -- Horde 3.3.5

From: Alex Legler <a3li () gentoo org>
Date: Tue, 15 Sep 2009 13:03:36 +0200

On Tue, 15 Sep 2009 12:39:45 +0200, Jan Lieskovsky
<jlieskov () redhat com> wrote:

Hello Steve, vendors,

   three security issues have been addressed within latest upstream
Horde version (3.3.5).


FYI: These issues also affect the Horde Groupware Edition and Horde
Groupware Webmail Edition.

Secunia has a dedicated advisory, SA369729 [1] for these. It mentions
that the two editions are only affected by the two XSS issues. This is
in accordance with upstream's release announcements.

However, the 1.2.4 release of both editions seem to be missing in that
advisory, both are vulnerable to all three issues, including the file
overwrite, according to the release announcements [2, 3].

Alex

[1] http://secunia.com/advisories/36729/
[2] http://marc.info/?l=horde-announce&m=125294558611682&w=2
[3] http://marc.info/?l=horde-announce&m=125295852706029&w=2

Attachment: signature.asc
Description:

Current thread:

CVE Request -- Horde 3.3.5 Jan Lieskovsky (Sep 15)
- Re: CVE Request -- Horde 3.3.5 Alex Legler (Sep 15)
- Re: CVE Request -- Horde 3.3.5 Steven M. Christey (Sep 16)