Version 4.2.25-1 of php-horde-kronolith is marked for autoremoval from testing on Tue 13 Aug 2019. It depends (transitively) on php-horde-text-filter, affected by #931255. You should try to prevent the removal by fixing these RC bugs.
CVE-2017-16908: In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed.
CVE-2017-16906: In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action.
Please fix them.
Last update: 2019-07-07
Standards version of the package is outdated.
The package should be updated to follow the last version of Debian Policy
(Standards-Version 4.4.0 instead of