[Pkg-roundcube-maintainers] Bug#514179: CVE-2009-0413: possible XSS issue

Luk Claes luk at debian.org
Mon Feb 9 22:41:37 UTC 2009

Vincent Bernat wrote:
> OoO En cette nuit nuageuse du jeudi 05 février 2009, vers 00:13, Steffen
> Joeris <steffen.joeris at skolelinux.de> disait :
>> | Cross-site scripting (XSS) vulnerability in RoundCube Webmail
>> | (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary
>> | web script or HTML via the background attribute embedded in an HTML
>> | e-mail message.
>> This bugreport concerns the experimental version. The other versions
>> don't seem to be affected after a quick glance. The published upstream
>> patch is here[1].
>> If you fix the vulnerability please also make sure to include the
>> CVE id in your changelog entry.
> After  some  investigations,  we  discovered  that  roundcube  0.1.1  is
> vulnerable to  this XSS  attack but is  also vulnerable to  many others,
> even trivial ones.
> We  believe  that  we  cannot  fix those  security  issues  with  simple
> patches. The best way to handle them would be to upgrade to 0.2 which is
> not ready for  unstable yet (and cannot run in  Lenny because of missing
> dependencies).
> Therefore, it seems to be safer to just remove roundcube from Lenny.

removal hint added



More information about the Pkg-roundcube-maintainers mailing list