New horde upstream versions 3.1.8 and 3.2.1 were released to address XSS issue in the object browser. Note in upstream changelog: SECURITY: Escape item names in the object browser (Bug #6906). Upstream bug report referenced by changelog message: http://bugs.horde.org/ticket/6906 Upstream patch: http://cvs.horde.org/diff.php/horde/services/obrowser/index.php?r1=1.18&r2=1.19 3.1.8 announcement: http://lists.horde.org/archives/announce/2008/000415.html http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.312.2.5&r2=1.515.2.312.2.10&ty=h 3.2.1 announcement: http://lists.horde.org/archives/announce/2008/000416.html http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.392&r2=1.515.2.413&ty=h Other references: http://secunia.com/advisories/30697/ Rawhide already has 3.2.1 (horde-3.2.1-1.fc10), so only F8 and F9 to deal with.
horde-3.2.1-1.fc8 has been submitted as an update for Fedora 8
horde-3.2.1-1.fc9 has been submitted as an update for Fedora 9
(In reply to comment #0) > Rawhide already has 3.2.1 (horde-3.2.1-1.fc10), so only F8 and F9 to deal with. Thanks, my plan was to actually wait a couple of days and then push it, it's now done. Also EPEL-5 now has an updated version (3.2.1).
horde-3.2.1-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
horde-3.2.1-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
The updates system did not close this when it should have, closing.
CVE-2008-3330: Cross-site scripting (XSS) vulnerability in services/obrowser/index.php in Horde 3.2 and Turba 2.2 allows remote attackers to inject arbitrary web script or HTML via the contact name.