From Mageia wiki
Jump to: navigation, search

MGASA-2012-0239

Date: August 26th, 2012
Affected releases: 1


Description:
Updated horde, horde-imp, horde-dimp packages fix security
vulnerabilities:

Multiple cross-site scripting (XSS) vulnerabilities were discovered in
IMP, the webmail component in the Horde framework. The vulnerabilities
allow remote attackers to inject arbitrary web script or HTML via
various crafted parameters (CVE-2012-0791).

Cross-site scripting (XSS) vulnerability in Horde_Form in Horde
Groupware Webmail Edition before 4.0.6 allows remote attackers to
inject arbitrary web script or HTML via unspecified vectors, related
to email verification (CVE-2012-0909).

Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the
Horde Application Framework before 3.3.9 allows remote attackers to inject
arbitrary web script or HTML via the subdir parameter (CVE-2010-3077).

Cross-site request forgery (CSRF) vulnerability in the Horde Application
Framework before 3.3.9 allows remote attackers to hijack the authentication
of unspecified victims for requests to a preference form (CVE-2010-3694).

Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde
IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows
remote attackers to inject arbitrary web script or HTML via the
fm_id parameter in a fetchmail_prefs_save action, related to the Fetchmail
configuration (CVE-2010-3695).

Please note that these packages are no longer available in Mageia 2.


Updated Packages:
horde-3.3.13-1.mga1
horde-dimp-1.1.8-1.mga1
horde-imp-4.3.11-1.1.mga1


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0909
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3694
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3695
http://lists.opensuse.org/opensuse-updates/2012-02/msg00054.html
http://lists.opensuse.org/opensuse-updates/2012-02/msg00055.html
http://www.debian.org/security/2011/dsa-2204
http://www.debian.org/security/2012/dsa-2485
http://www.debian.org/security/2011/dsa-2278
http://lwn.net/Vulnerabilities/413565/
http://lwn.net/Vulnerabilities/435711/
https://bugs.mageia.org/show_bug.cgi?id=6603