Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- kronolith: Two sets (3.0.17 && 3.0.18) of XSS flaws
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 23 Nov 2012 11:38:37 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/23/2012 10:25 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors,

Horde upstream has recently released 3.0.18 version of Kronolith,
the Horde calendar application, correcting one set of XSS flaws: 
[1]
https://github.com/horde/horde/blob/d3dda2d47fad7eb128a0091e732cded0c2601009/kronolith/docs/CHANGES


[2] http://lists.horde.org/archives/announce/2012/000836.html

more exactly: * Set #1: [mms] SECURITY: Fix XSS vulnerabilities in
the portal blocks. Upstream patch:
http://git.horde.org/horde-git/-/commit/d865c564beb6e98532880aa51a04a79f3311cd1e


References: [1], [2] plus [3]
https://bugzilla.redhat.com/show_bug.cgi?id=879684

Please use CVE-2012-5567 for kronolith: 3.0.18 of XSS flaw

Also previously (in version 3.0.17 yet another set of XSS flaws got
corrected): * Set #2: [jan] SECURITY: Fix XSS vulnerabilities in
tasks view and search view (Bug #11189). Upstream ticket: [4]
http://bugs.horde.org/ticket/11189 Upstream patch:  [5]
http://git.horde.org/horde-git/-/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2


References: [1], [2], [4], [5]
Note: There isn't a Red Hat Bugzilla entry, since the kronolith
2.x version based versions shipped, within Fedora / Fedora EPEL
weren't vulnerable to this problem yet.

Please use CVE-2012-5566 for kronolith: 3.0.17 of XSS flaw

Look at MITRE CVE database for kronolith: [6]
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=kronolith

suggests the last security flaws, a CVE ids has been assigned to,
were the following two: * v2.2-RC2 --------

[jan] SECURITY: Fix privilege escalation in Horde API. =>
CVE-2008-7218 [cjh] SECURITY: Fix missing ownership validation on
share changes => CVE-2008-7219

so both of sets of the XSS issues (Set #1, Set #2) should still be
lacking (two) CVE identifiers.

Could you allocate them?

Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
Security Response Team



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQr8KtAAoJEBYNRVNeJnmTvOMQANJwGQMMe+EmCuwFBjty8oCz
w/9F+OAC9I4/tViLPfbbyzKkXk0cprC9FdaPb/8eBVW1L/ELCZGbbdQPlAiag2im
FmxyHou2lJ/dxePvdDZE7ZI0xp4gHnoRynXJ4g7szFisr4UWqZzqUsfpk7O2JOnT
FfZljNJdMJXok++p2q1CCckwltMpLaYr4AvUPEZMUIMTbgrj+GXuhjriuztVa9ii
4foH5KSzpPA1CfooDTqnmosJW+sZADr+GM2/RsLQZ0FHosbNtqkn8MGyr6ApLaGr
1gNYQbduYaCoSVndxoJt+CTkgbuJ1O3Hru8ib46CJ3tZrKS2lmR0CzrAG4GaJEhV
Eh9L/YRYDt3RA/h2u0TNg5w4gQl4vhwZG6y4ZljPUT2zFq9KuWNxMByMdWeKwM6N
0D2KT8RqffyVA+UXSQbWg8SGz1nKr4v70FatjDSByrZqyXIBl6w3yGrFeVsgcErJ
zpo7yu5A2bNUP4qBLS4hisZxvHU3aLCStWlD3BX1ghaFlZXkAXEh0AdIbj0zw31F
pYkxbPXATiMtXUy0jp8xWY8/cCXy2oROVtmiI9dlZDkPWBJYXpysBprsEZttiANl
hk53ql7glJMEB83UBOI1kOjVN+wDX7veeNEv3Ntou5nm9mpmHeAUq3T/7O08l+l0
aAf/nis5wNitl8Mvj6Zf
=yKB3
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault