[Pkg-roundcube-maintainers] Bug#514179: CVE-2009-0413: possible XSS issue

Vincent Bernat bernat at debian.org
Wed Feb 11 18:25:38 UTC 2009

OoO En  cette fin  de matinée  radieuse du mardi  10 février  2009, vers
11:30, Holger Levsen <holger at layer-acht.org> disait :

>> > After  some  investigations,  we  discovered  that  roundcube  0.1.1  is
>> > vulnerable to  this XSS  attack but is  also vulnerable to  many others,
>> > even trivial ones.
>> >
>> > We  believe  that  we  cannot  fix those  security  issues  with  simple
>> > patches. The best way to handle them would be to upgrade to 0.2 which is
>> > not ready for  unstable yet (and cannot run in  Lenny because of missing
>> > dependencies).
>> >
>> > Therefore, it seems to be safer to just remove roundcube from Lenny.
>> removal hint added

> And what about the version in etch-backports now?

It should be vulnerable too. Would it be possible to upgrade to 0.2-alpha?
printk("Illegal format on cdrom.  Pester manufacturer.\n"); 
	2.2.16 /usr/src/linux/fs/isofs/inode.c
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20090211/53d12e40/attachment-0001.pgp 

More information about the Pkg-roundcube-maintainers mailing list