[Pkg-roundcube-maintainers] Bug#514179: CVE-2009-0413: possible XSS issue
Vincent Bernat
bernat at debian.org
Mon Feb 9 18:00:46 UTC 2009
OoO En cette nuit nuageuse du jeudi 05 février 2009, vers 00:13, Steffen
Joeris <steffen.joeris at skolelinux.de> disait :
> | Cross-site scripting (XSS) vulnerability in RoundCube Webmail
> | (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary
> | web script or HTML via the background attribute embedded in an HTML
> | e-mail message.
> This bugreport concerns the experimental version. The other versions
> don't seem to be affected after a quick glance. The published upstream
> patch is here[1].
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
After some investigations, we discovered that roundcube 0.1.1 is
vulnerable to this XSS attack but is also vulnerable to many others,
even trivial ones.
We believe that we cannot fix those security issues with simple
patches. The best way to handle them would be to upgrade to 0.2 which is
not ready for unstable yet (and cannot run in Lenny because of missing
dependencies).
Therefore, it seems to be safer to just remove roundcube from Lenny.
--
Avoid unnecessary branches.
- The Elements of Programming Style (Kernighan & Plauger)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20090209/02765fbf/attachment.pgp
More information about the Pkg-roundcube-maintainers
mailing list