New horde upstream versions 3.1.8 and 3.2.1 were released to address XSS issue
in the object browser.
Note in upstream changelog:
SECURITY: Escape item names in the object browser (Bug #6906).
Upstream bug report referenced by changelog message:
Rawhide already has 3.2.1 (horde-3.2.1-1.fc10), so only F8 and F9 to deal with.
horde-3.2.1-1.fc8 has been submitted as an update for Fedora 8
horde-3.2.1-1.fc9 has been submitted as an update for Fedora 9
(In reply to comment #0)
> Rawhide already has 3.2.1 (horde-3.2.1-1.fc10), so only F8 and F9 to deal with.
Thanks, my plan was to actually wait a couple of days and then push it, it's now
Also EPEL-5 now has an updated version (3.2.1).
horde-3.2.1-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
horde-3.2.1-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
The updates system did not close this when it should have, closing.
Cross-site scripting (XSS) vulnerability in
services/obrowser/index.php in Horde 3.2 and Turba 2.2 allows remote
attackers to inject arbitrary web script or HTML via the contact name.