[Pkg-roundcube-maintainers] Bug#514179: CVE-2009-0413: possible XSS issue
Vincent Bernat
bernat at debian.org
Fri Feb 6 06:38:06 UTC 2009
OoO En cette nuit nuageuse du jeudi 05 février 2009, vers 00:13, Steffen
Joeris <steffen.joeris at skolelinux.de> disait :
> Package: roundcube
> Version: 0.2~alpha-4
> Severity: important
> Tags: security
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for roundcube.
> CVE-2009-0413[0]:
> | Cross-site scripting (XSS) vulnerability in RoundCube Webmail
> | (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary
> | web script or HTML via the background attribute embedded in an HTML
> | e-mail message.
> This bugreport concerns the experimental version. The other versions
> don't seem to be affected after a quick glance. The published upstream
> patch is here[1].
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
Hi Steffen!
From my knowledge, 0.1.1 and 0.2alpha are not affected because the
background attribute is not accepted at all.
The patch also fixes a regexp and I don't know if this is related to a
security issue. I will ask upstream about this.
Until I get a confirmation, I leave the report as is. I hope that
roundcube won't be removed from lenny. ;-)
Thanks for the report.
--
BOFH excuse #328:
Fiber optics caused gas main leak
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20090206/d056e62e/attachment.pgp
More information about the Pkg-roundcube-maintainers
mailing list