[Pkg-roundcube-maintainers] Bug#514179: CVE-2009-0413: possible XSS issue

Vincent Bernat bernat at debian.org
Mon Feb 9 18:00:46 UTC 2009

OoO En cette nuit nuageuse du jeudi 05 février 2009, vers 00:13, Steffen
Joeris <steffen.joeris at skolelinux.de> disait :

> | Cross-site scripting (XSS) vulnerability in RoundCube Webmail
> | (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary
> | web script or HTML via the background attribute embedded in an HTML
> | e-mail message.

> This bugreport concerns the experimental version. The other versions
> don't seem to be affected after a quick glance. The published upstream
> patch is here[1].

> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.

After  some  investigations,  we  discovered  that  roundcube  0.1.1  is
vulnerable to  this XSS  attack but is  also vulnerable to  many others,
even trivial ones.

We  believe  that  we  cannot  fix those  security  issues  with  simple
patches. The best way to handle them would be to upgrade to 0.2 which is
not ready for  unstable yet (and cannot run in  Lenny because of missing

Therefore, it seems to be safer to just remove roundcube from Lenny.
Avoid unnecessary branches.
            - The Elements of Programming Style (Kernighan & Plauger)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20090209/02765fbf/attachment.pgp 

More information about the Pkg-roundcube-maintainers mailing list