Mageia alert MGASA-2012-0239 (horde) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2012-0239: horde-3.3.13-1.mga1,
 horde-dimp-1.1.8-1.mga1, horde-imp-4.3.11-1.1.mga1 (1/core) 
Date:
    	       Sun, 26 Aug 2012 22:56:25 +0200
Message-ID:
    	       <20120826205625.GA14851@valstar.mageia.org>
Archive-link:
    	       Article, Thread
              
MGASA-2012-0239
Date: 	August 23rd, 2012
Affected releases: 	1


Description:
Updated horde, horde-imp, horde-dimp packages fix security
vulnerabilities:

Multiple cross-site scripting (XSS) vulnerabilities were discovered in
IMP, the webmail component in the Horde framework. The vulnerabilities
allow remote attackers to inject arbitrary web script or HTML via
various crafted parameters (CVE-2012-0791).

Cross-site scripting (XSS) vulnerability in Horde_Form in Horde
Groupware Webmail Edition before 4.0.6 allows remote attackers to
inject arbitrary web script or HTML via unspecified vectors, related
to email verification (CVE-2012-0909).

Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the
Horde Application Framework before 3.3.9 allows remote attackers to
inject arbitrary web script or HTML via the subdir parameter
(CVE-2010-3077).

Cross-site request forgery (CSRF) vulnerability in the Horde Application
Framework before 3.3.9 allows remote attackers to hijack the
authentication of unspecified victims for requests to a preference form
(CVE-2010-3694).

Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde
IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows
remote attackers to inject arbitrary web script or HTML via the
fm_id parameter in a fetchmail_prefs_save action, related to the
Fetchmail configuration (CVE-2010-3695).

Please note that these packages are no longer available in Mageia 2.


Updated Packages:
horde-3.3.13-1.mga1
horde-dimp-1.1.8-1.mga1
horde-imp-4.3.11-1.1.mga1


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0909
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3694
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3695
http://lists.opensuse.org/opensuse-updates/2012-02/msg000...
http://lists.opensuse.org/opensuse-updates/2012-02/msg000...
http://www.debian.org/security/2011/dsa-2204
http://www.debian.org/security/2012/dsa-2485
http://www.debian.org/security/2011/dsa-2278
http://lwn.net/Vulnerabilities/413565/
http://lwn.net/Vulnerabilities/435711/
https://bugs.mageia.org/show_bug.cgi?id=6603
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-...
(Log in to post comments)