[Pkg-roundcube-maintainers] Bug#721592: roundcube: CVE-2013-5645
Salvatore Bonaccorso
carnil at debian.org
Tue Sep 3 06:51:43 UTC 2013
Hi Vincent!
On Mon, Sep 02, 2013 at 08:42:14AM +0200, Vincent Bernat wrote:
> ❦ 2 septembre 2013 08:31 CEST, Salvatore Bonaccorso <carnil at debian.org> :
>
> > the following vulnerability was published for roundcube.
> >
> > CVE-2013-5645[0]:
> > | Multiple cross-site scripting (XSS) vulnerabilities in Roundcube
> > | webmail before 0.9.3 allow user-assisted remote attackers to inject
> > | arbitrary web script or HTML via the body of a message visited in (1)
> > | new or (2) draft mode, related to compose.inc; and (3) might allow
> > | remote authenticated users to inject arbitrary web script or HTML via
> > | an HTML signature, related to save_identity.inc.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5645
> > http://security-tracker.debian.org/tracker/CVE-2013-5645
> > [1] http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github
> > [2] http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github
> > [3] http://trac.roundcube.net/ticket/1489251
> > [4] http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3
> >
> > Please adjust the affected versions in the BTS as needed. At least
> > 0.9.2 looks affected.
>
> Hi Salvatore!
>
> Previous versions are likely to be affected too. I will try to backport
> the patches. For version in Jessie and unstable, I will just upload
> 0.9.3.
Thanks for your quick reply! From what I see about the vulnerability,
I would say this does not warrant a DSA, as the exploitability seems
to be limited to a user-assisted remote attacker.
Do you agree on that conclusion? If yes I will mark this in the
security-tracker appropriately. Could you address in that case the
updates trough a proposed-update instead?
Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20130903/03e1061c/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list