Debian Security Advisory

DSA-1642-1 horde3 -- cross site scripting

Date Reported:

20 Sep 2008

Affected Packages:

horde3

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2008-3823.

More information:

Will Drewry discovered that Horde allows remote attackers to send an email with a crafted MIME attachment filename attribute to perform cross site scripting.

For the stable distribution (etch), this problem has been fixed in version 3.1.3-4etch4.

For the testing distribution (lenny), this problem has been fixed in version 3.2.1+debian0-2+lenny1.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your horde3 package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch4.dsc; http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3.orig.tar.gz; http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch4.diff.gz
Architecture-independent component:: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch4_all.deb

MD5 checksums of the listed files are available in the original advisory.