[Pkg-roundcube-maintainers] Bug#514179: CVE-2009-0413: possible XSS issue
Vincent Bernat
bernat at debian.org
Wed Feb 11 18:25:38 UTC 2009
OoO En cette fin de matinée radieuse du mardi 10 février 2009, vers
11:30, Holger Levsen <holger at layer-acht.org> disait :
>> > After some investigations, we discovered that roundcube 0.1.1 is
>> > vulnerable to this XSS attack but is also vulnerable to many others,
>> > even trivial ones.
>> >
>> > We believe that we cannot fix those security issues with simple
>> > patches. The best way to handle them would be to upgrade to 0.2 which is
>> > not ready for unstable yet (and cannot run in Lenny because of missing
>> > dependencies).
>> >
>> > Therefore, it seems to be safer to just remove roundcube from Lenny.
>> removal hint added
> And what about the version in etch-backports now?
It should be vulnerable too. Would it be possible to upgrade to 0.2-alpha?
--
printk("Illegal format on cdrom. Pester manufacturer.\n");
2.2.16 /usr/src/linux/fs/isofs/inode.c
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20090211/53d12e40/attachment-0001.pgp
More information about the Pkg-roundcube-maintainers
mailing list