[Pkg-roundcube-maintainers] Bug#536498: Please backport roundcube CVE-2008-5619
Benjamin Bannier
benjamin.bannier at netronaut.de
Tue Jul 14 15:12:28 UTC 2009
On Mon, 13 Jul 2009 14:28:30 +0200
Nico Golde <nion at debian.org> wrote:
> * Gerfried Fuchs <rhonda at deb.at> [2009-07-13 14:17]:
> > * Benjamin Bannier <benjamin.bannier at netronaut.de> [2009-07-10
> > 17:14:45 CEST]:
> > > thanks for your quick response.
> > >
> > > I see roundcube-0.1.1-10~bpo40+2 still in backports. I presume
> > > this doesn't include the patch to fix this specific issue.
> >
> > Erm, are you sure? According to Nico it was fixed in 0.1.1-9 which
> > is older than 0.1.1-10. I'm now pretty puzzled about the whole fuzz
> > and the issue at hand?
>
> I checked the package of backports and the issue you are
> reporting seems indeed to be fixed. Do you have any evidence
> that this or a similar issue is being exploited on your
> system?
Sorry for not answering earlier, was struggling with this bugzilla
interface and my message didn't go through.
I see the exact same issue, somebody accessing roundcube's html2text
with POST's and files are being uploaded (to /dev/shm in this
particular case). And I also have no idea how they start their programs
(a process httpd run by www-data that we caught quickly with tiger
since on Debian we call it apache2).
Benjamin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20090714/650632d5/attachment.pgp>
More information about the Pkg-roundcube-maintainers
mailing list