Package: roundcube Severity: important Tags: security upstream patch fixed-upstream
Hi, the following vulnerability was published for roundcube. CVE-2013-5645[0]: | Multiple cross-site scripting (XSS) vulnerabilities in Roundcube | webmail before 0.9.3 allow user-assisted remote attackers to inject | arbitrary web script or HTML via the body of a message visited in (1) | new or (2) draft mode, related to compose.inc; and (3) might allow | remote authenticated users to inject arbitrary web script or HTML via | an HTML signature, related to save_identity.inc. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5645 http://security-tracker.debian.org/tracker/CVE-2013-5645 [1] http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github [2] http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github [3] http://trac.roundcube.net/ticket/1489251 [4] http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3 Please adjust the affected versions in the BTS as needed. At least 0.9.2 looks affected. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
