[Pkg-roundcube-maintainers] Bug#514179: CVE-2009-0413: possible XSS issue
Luk Claes
luk at debian.org
Mon Feb 9 22:41:37 UTC 2009
Vincent Bernat wrote:
> OoO En cette nuit nuageuse du jeudi 05 février 2009, vers 00:13, Steffen
> Joeris <steffen.joeris at skolelinux.de> disait :
>
>> | Cross-site scripting (XSS) vulnerability in RoundCube Webmail
>> | (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary
>> | web script or HTML via the background attribute embedded in an HTML
>> | e-mail message.
>
>> This bugreport concerns the experimental version. The other versions
>> don't seem to be affected after a quick glance. The published upstream
>> patch is here[1].
>
>> If you fix the vulnerability please also make sure to include the
>> CVE id in your changelog entry.
>
> After some investigations, we discovered that roundcube 0.1.1 is
> vulnerable to this XSS attack but is also vulnerable to many others,
> even trivial ones.
>
> We believe that we cannot fix those security issues with simple
> patches. The best way to handle them would be to upgrade to 0.2 which is
> not ready for unstable yet (and cannot run in Lenny because of missing
> dependencies).
>
> Therefore, it seems to be safer to just remove roundcube from Lenny.
removal hint added
Cheers
Luk
More information about the Pkg-roundcube-maintainers
mailing list