Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Tue, 15 Sep 2009 13:03:36 +0200
From: Alex Legler <a3li@...too.org>
To: oss-security@...ts.openwall.com
Cc: jlieskov@...hat.com, "Steven M. Christey" <coley@...us.mitre.org>,
 vuln@...unia.com
Subject: Re: CVE Request -- Horde 3.3.5

On Tue, 15 Sep 2009 12:39:45 +0200, Jan Lieskovsky
<jlieskov@...hat.com> wrote:

> Hello Steve, vendors,
> 
>    three security issues have been addressed within latest upstream
> Horde version (3.3.5).
> 

FYI: These issues also affect the Horde Groupware Edition and Horde
Groupware Webmail Edition.

Secunia has a dedicated advisory, SA369729 [1] for these. It mentions
that the two editions are only affected by the two XSS issues. This is
in accordance with upstream's release announcements.

However, the 1.2.4 release of both editions seem to be missing in that
advisory, both are vulnerable to all three issues, including the file
overwrite, according to the release announcements [2, 3].

Alex

[1] http://secunia.com/advisories/36729/
[2] http://marc.info/?l=horde-announce&m=125294558611682&w=2
[3] http://marc.info/?l=horde-announce&m=125295852706029&w=2

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux