[Pkg-roundcube-maintainers] Bug#721592: roundcube: CVE-2013-5645
bernat at debian.org
Mon Sep 2 06:42:14 UTC 2013
❦ 2 septembre 2013 08:31 CEST, Salvatore Bonaccorso <carnil at debian.org> :
> the following vulnerability was published for roundcube.
> | Multiple cross-site scripting (XSS) vulnerabilities in Roundcube
> | webmail before 0.9.3 allow user-assisted remote attackers to inject
> | arbitrary web script or HTML via the body of a message visited in (1)
> | new or (2) draft mode, related to compose.inc; and (3) might allow
> | remote authenticated users to inject arbitrary web script or HTML via
> | an HTML signature, related to save_identity.inc.
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> For further information see:
>  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5645
>  http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github
>  http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github
>  http://trac.roundcube.net/ticket/1489251
>  http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3
> Please adjust the affected versions in the BTS as needed. At least
> 0.9.2 looks affected.
Previous versions are likely to be affected too. I will try to backport
the patches. For version in Jessie and unstable, I will just upload
Document your data layouts.
- The Elements of Programming Style (Kernighan & Plauger)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 835 bytes
Desc: not available
More information about the Pkg-roundcube-maintainers