Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0930 to the following vulnerability: Name: CVE-2009-0930 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0930 Assigned: 20090317 Reference: MLIST:[announce] 20090127 IMP 4.2.2 (final) Reference: URL: http://lists.horde.org/archives/announce/2009/000484.html Reference: MLIST:[announce] 20090127 IMP 4.3.3 (final) Reference: URL: http://lists.horde.org/archives/announce/2009/000485.html Reference: CONFIRM: http://cvs.horde.org/co.php/imp/docs/CHANGES?r=1.699.2.301.2.3 Reference: CONFIRM: http://cvs.horde.org/co.php/imp/docs/CHANGES?r=1.699.2.375 Reference: BID:33492 Reference: URL: http://www.securityfocus.com/bid/33492 Reference: SECUNIA:33719 Reference: URL: http://secunia.com/advisories/33719 Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP before 4.2.2 and 4.3.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) smime.php, (2) pgp.php, and (3) message.php.
Short summary with links to relevant patches: IMP 4.2.2 and 4.3.3: * SECURITY: Escape output in message.php, pgp.php and smime.php http://lists.horde.org/archives/announce/2009/000484.html http://lists.horde.org/archives/announce/2009/000485.html http://cvs.horde.org/diff.php/imp/docs/CHANGES?r1=1.699.2.301.2.1&r2=1.699.2.301.2.4&ty=h Patches: http://cvs.horde.org/diff.php/imp/pgp.php?r1=2.79.6.15&r2=2.79.6.15.2.1 http://cvs.horde.org/diff.php/imp/smime.php?r1=2.48.4.12&r2=2.48.4.12.4.1 http://cvs.horde.org/diff.php/imp/message.php?r1=2.560.4.56&r2=2.560.4.56.4.1
Fedora 12 contains 4.3.4, so has this fix. Fedora 10 and 11 contain 4.2 and are still vulnerable to this issue.
imp-4.3.6-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/imp-4.3.6-1.fc11
imp-4.3.6-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.