oss-sec mailing list archives
Zarafa WebApp < 1.6 affected by CVE-2010-4207 or CVE-2012-5881
From: Robert Scheck <robert () fedoraproject org>
Date: Thu, 28 Aug 2014 13:13:30 +0200
Hello, I discovered that Zarafa WebApp < 1.6 is affected by CVE-2010-4207 or CVE-2012-5881 (depends on WebApp version) as it bundles charts.swf by YUI, see http://yuilibrary.com/support/20121030-vulnerability/ for the list of affected md5sums. [root@tux ~]# rpm -q zarafa-webapp zarafa-webapp-1.5-44025.noarch [root@tux ~]# [root@tux ~]# rpm -ql zarafa-webapp | grep charts.swf | xargs md5sum 923c8afe50fc45ed42d92d6ab83b11f6 /usr/share/zarafa-webapp/client/extjs/resources/charts.swf [root@tux ~]# I don't know how to abuse this but upstream notice "This defect allows JavaScript injection exploits to be created against domains that host these affected .swf files, whether or not the .swf files are embedded in your application." seems to be important enough for this heads up. Given that Zarafa WebApp 1.6 (final release) happened on 2014-07-21 there might be distributions/downstreams still shipping Zarafa WebApp 1.5. Zarafa WebApp does not use that file so removing it on packaging level is fine. Fedora is not affected; it doesn't ship Zarafa WebApp. With kind regards Robert Scheck -- Fedora Project * Fedora Ambassador * Fedora Mentor * Fedora Packager
Attachment:
_bin
Description:
Current thread:
- Zarafa WebApp < 1.6 affected by CVE-2010-4207 or CVE-2012-5881 Robert Scheck (Aug 28)