[Pkg-roundcube-maintainers] Bug#536498: Please backport roundcube CVE-2008-5619

Benjamin Bannier benjamin.bannier at netronaut.de
Tue Jul 14 15:12:28 UTC 2009


On Mon, 13 Jul 2009 14:28:30 +0200
Nico Golde <nion at debian.org> wrote:

> * Gerfried Fuchs <rhonda at deb.at> [2009-07-13 14:17]:
> > * Benjamin Bannier <benjamin.bannier at netronaut.de> [2009-07-10
> > 17:14:45 CEST]:
> > > thanks for your quick response.
> > > 
> > > I see roundcube-0.1.1-10~bpo40+2 still in backports. I presume
> > > this doesn't include the patch to fix this specific issue.
> > 
> >  Erm, are you sure? According to Nico it was fixed in 0.1.1-9 which
> > is older than 0.1.1-10. I'm now pretty puzzled about the whole fuzz
> > and the issue at hand?
> 
> I checked the package of backports and the issue you are 
> reporting seems indeed to be fixed. Do you have any evidence 
> that this or a similar issue is being exploited on your 
> system?

Sorry for not answering earlier, was struggling with this bugzilla
interface and my message didn't go through.

I see the exact same issue, somebody accessing roundcube's html2text
with POST's and files are being uploaded (to /dev/shm in this
particular case). And I also have no idea how they start their programs
(a process httpd run by www-data that we caught quickly with tiger
since on Debian we call it apache2).

Benjamin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20090714/650632d5/attachment.pgp>


More information about the Pkg-roundcube-maintainers mailing list