From: security@caldera.com
To: bugtraq@securityfocus.com, announce@lists.caldera.com,
security-alerts@linuxsecurity.com
Subject: Security Update: [CSSA-2002-016.0] Linux: horde/imp cross scripting vulnerabilities
Date: Tue, 16 Apr 2002 14:21:29 -0700
To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Linux: horde/imp cross scripting vulnerabilities
Advisory number: CSSA-2002-016.0
Issue date: 2002 April 16
Cross reference:
______________________________________________________________________________
1. Problem Description
There are some potential cross-site scripting (CSS) attacks in
the imp and horde programs.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to horde-1.2.8-1.i386.rpm
prior to horde-1.2.8-1.src.rpm
prior to imp-2.2.8-1.i386.rpm
prior to imp-2.2.8-1.src.rpm
OpenLinux 3.1 Server prior to horde-1.2.8-1.i386.rpm
prior to horde-1.2.8-1.src.rpm
prior to imp-2.2.8-1.i386.rpm
prior to imp-2.2.8-1.src.rpm
3. Solution
The proper solution is to install the latest packages.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS
4.2 Packages
f52d7821dcbefafc220a479a34f359a7 horde-1.2.8-1.i386.rpm
7dec82815fe2a801b40fd1cc64712f28 imp-2.2.8-1.i386.rpm
4.3 Installation
rpm -Fvh horde-1.2.8-1.i386.rpm
rpm -Fvh imp-2.2.8-1.i386.rpm
4.4 Source Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS
4.5 Source Packages
2b48821e064674d8b159a3bb1078c619 horde-1.2.8-1.src.rpm
632aa28b3eaf46100fc00a54bd10644a imp-2.2.8-1.src.rpm
5. OpenLinux 3.1 Server
5.1 Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS
5.2 Packages
d479bd6ee5b856a3cf212d3b58ddbd98 horde-1.2.8-1.i386.rpm
836b9bc79c208b36d4e6191dcd60ce0d imp-2.2.8-1.i386.rpm
5.3 Installation
rpm -Fvh horde-1.2.8-1.i386.rpm
rpm -Fvh imp-2.2.8-1.i386.rpm
5.4 Source Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS
5.5 Source Packages
c8031ec50e69ad21a6a20b7885be6eeb horde-1.2.8-1.src.rpm
151403a7a889478485be1733c9fa1bd0 imp-2.2.8-1.src.rpm
6. References
Specific references for this advisory:
none
Caldera OpenLinux security resources:
http://www.caldera.com/support/security/index.html
Caldera UNIX security resources:
http://stage.caldera.com/support/security/
This security fix closes Caldera incidents sr862918, fz520626,
erg712017.
7. Disclaimer
Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on this website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera products.
8. Acknowledgements
Nuno Loureiro <nuno@eth.pt> discovered and researched this
problem.
______________________________________________________________________________