Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Thu, 14 Aug 2008 19:12:30 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: oss-security+ml@...lde.de, coley@...re.org
Subject: Re: horde webmail edition < 1.1.1


On Wed, 13 Aug 2008, Tomas Hoger wrote:

> On Wed, 13 Aug 2008 14:00:03 +0200 Nico Golde
> <oss-security+ml@...lde.de> wrote:
>
> > > > This should be a duplicate of CVE-2008-3330.
> > >
> > > Actually, (1) is covered by CVE-2008-3330, (2) probably never got an
> > > id.  Bit more info on (2) here:
> > >
> > >   https://bugzilla.redhat.com/show_bug.cgi?id=452549
> > >
> > > Steven, can you please correct CVE description.  Thanks!
> >
> > Hmm, actually I thought this would have been added after my
> > post on:
> > http://www.openwall.com/lists/oss-security/2008/07/28/3
> > which already mentions this.
>
> Ah, so actually both issue were previously mentioned here... I forgot.
> It seems that after you pointed out (2), no more CVE id was allocated
> in that thread.

OK, some followups:

1) CVE-2008-3330.2, for Turba, affects contact.php, which only exists in
   Turba 2.2.

2) The Debian bug report seems to have found contact issues in Turba 2.1,
   in browse.php:
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492578#40

3) The code from Turba 2.1 looks quite different than the contact.php code
   as quoted by Nico here:

    http://www.openwall.com/lists/oss-security/2008/07/28/3

4) I haven't seen any mention of contact issues in Horde itself, is this
   correct?

5) CVE-2008-3650, the "unspecified" issues based on a vague Horde
   Groupware advisory, appears to line up closely with both
   CVE-2008-3330.1 (obrowser) and CVE-2008-3330.2 (Turba contacts).  Is
   this sufficiently confirmed?

> It seems different ids should be used for (1) and (2), as different
> Horde project components are affected, also in different versions.

Difference in components is not treated as relevant for CVE purposes.

However, the different versions are.  Question 3 is especially relevant
even in this case.

This might be a candidate for a SPLIT, but I'm generally reluctant to do
so after a CVE has been published, since we don't know how many people are
already using it...

- Steve

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux