[Pkg-roundcube-maintainers] Bug#536498: Please backport roundcube CVE-2008-5619

Benjamin Bannier benni at netronaut.de
Fri Jul 10 14:21:56 UTC 2009

Package: roundcube
Version: 0.2.2-1
Severity: grave
Tags: security
Justification: user security hole


I have roundcube installed from backports, and I see people
exploiting roundcube CVE-2008-5619

Any chances the fix mentioned there could be backported to etch?

For now I pulled the version from unstable on my system.



-- System Information:
Debian Release: 4.0
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages roundcube depends on:
ii  roundcube-core                0.2.2-1    skinnable AJAX based webmail solut

roundcube recommends no packages.

Versions of packages roundcube-core depends on:
ii  apache2              2.2.3-4+etch8       Next generation, scalable, extenda
ii  apache2-mpm-prefork  2.2.3-4+etch8       Traditional model for Apache HTTPD
ii  dbconfig-common      1.8.29+etch1        common framework for packaging dat
ii  debconf [debconf-2.0 1.5.11etch2         Debian configuration management sy
ii  libmagic1            4.17-5etch3         File type determination library us
ii  php-auth             1.2.4-0.1           PHP PEAR modules for creating an a
ii  php-mail-mime        1.5.2-0.1           PHP PEAR module for creating MIME 
ii  php-mdb2             2.5.0b2-1           PHP PEAR module to provide a commo
ii  php-net-smtp         1.2.6-2             PHP PEAR module implementing SMTP 
ii  php-net-socket       1.0.6-2             PHP PEAR Network Socket Interface 
ii  php5                 5.2.0+dfsg-8+etch15 server-side, HTML-embedded scripti
ii  php5-gd              5.2.0+dfsg-8+etch15 GD module for php5
ii  php5-mcrypt          5.2.0+dfsg-8+etch15 MCrypt module for php5
ii  php5-pspell          5.2.0+dfsg-8+etch15 pspell module for php5
ii  roundcube-sqlite     0.2.2-1             metapackage providing sqlite depen
ii  tinymce             platform independent web based Jav
ii  ucf                  2.0020              Update Configuration File: preserv

-- debconf information:
* roundcube/dbconfig-install: true
* roundcube/db/dbname: roundcube
  roundcube/pgsql/authmethod-admin: ident
  roundcube/pgsql/admin-user: postgres
  roundcube/internal/skip-preseed: false
  roundcube/dbconfig-reinstall: false
* roundcube/restart-webserver: false
  roundcube/dbconfig-upgrade: true
  roundcube/internal/reconfiguring: false
  roundcube/upgrade-error: abort
  roundcube/pgsql/authmethod-user: password
  roundcube/purge: false
* roundcube/language: de_DE
  roundcube/pgsql/changeconf: false
  roundcube/upgrade-backup: true
  roundcube/install-error: abort
  roundcube/mysql/admin-user: root
* roundcube/hosts: netronaut.de:6666
  roundcube/mysql/method: unix socket
  roundcube/remove-error: abort
  roundcube/pgsql/method: unix socket
* roundcube/db/basepath: /var/lib/dbconfig-common/sqlite/roundcube
* roundcube/reconfigure-webserver: apache2
* roundcube/database-type: sqlite

More information about the Pkg-roundcube-maintainers mailing list