-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux: REVISED: horde/imp cross scripting vulnerabilities Advisory number: CSSA-2002-016.1 Issue date: 2002 May 09 Cross reference: ______________________________________________________________________________ 1. Problem Description There are some potential cross-site scripting (CSS) attacks in the imp and horde programs. This update fixes a problem with the horde package installation. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to horde-1.2.8-2.i386.rpm prior to imp-2.2.8-1.i386.rpm OpenLinux 3.1 Server prior to horde-1.2.8-2.i386.rpm prior to imp-2.2.8-1.i386.rpm 3. Solution The proper solution is to install the latest packages. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS 4.2 Packages 17a500e12a71d9639d15d85f7386597c horde-1.2.8-2.i386.rpm 7dec82815fe2a801b40fd1cc64712f28 imp-2.2.8-1.i386.rpm 4.3 Installation rpm -Fvh horde-1.2.8-2.i386.rpm rpm -Fvh imp-2.2.8-1.i386.rpm 4.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS 4.5 Source Packages f6a39863ed3049073b079c52b8d49353 horde-1.2.8-2.src.rpm 632aa28b3eaf46100fc00a54bd10644a imp-2.2.8-1.src.rpm 5. OpenLinux 3.1 Server 5.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS 5.2 Packages 3ba666ed18ce30c26c059d6467ba648f horde-1.2.8-2.i386.rpm 836b9bc79c208b36d4e6191dcd60ce0d imp-2.2.8-1.i386.rpm 5.3 Installation rpm -Fvh horde-1.2.8-2.i386.rpm rpm -Fvh imp-2.2.8-1.i386.rpm 5.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS 5.5 Source Packages a6c9c2bfd5dda4049a0a8b9342bcc3c6 horde-1.2.8-2.src.rpm 151403a7a889478485be1733c9fa1bd0 imp-2.2.8-1.src.rpm 6. References Specific references for this advisory: none Caldera OpenLinux security resources: http://www.caldera.com/support/security/index.html Caldera UNIX security resources: http://stage.caldera.com/support/security/ This security fix closes Caldera incidents sr862918, fz520626, erg712017. 7. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera products. 8. Acknowledgements Nuno Loureiro discovered and researched this problem. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjza9tgACgkQbluZssSXDTG4TQCgwvw77w//DhY5+DRg/IU+Nll0 6Q4AoIPLF3I3HeEiXISVsUoJt3rxsbSJ =FDJl -----END PGP SIGNATURE-----