Hi Vincent! On Mon, Sep 02, 2013 at 08:42:14AM +0200, Vincent Bernat wrote: > ❦ 2 septembre 2013 08:31 CEST, Salvatore Bonaccorso <car...@debian.org> : > > > the following vulnerability was published for roundcube. > > > > CVE-2013-5645[0]: > > | Multiple cross-site scripting (XSS) vulnerabilities in Roundcube > > | webmail before 0.9.3 allow user-assisted remote attackers to inject > > | arbitrary web script or HTML via the body of a message visited in (1) > > | new or (2) draft mode, related to compose.inc; and (3) might allow > > | remote authenticated users to inject arbitrary web script or HTML via > > | an HTML signature, related to save_identity.inc. > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5645 > > http://security-tracker.debian.org/tracker/CVE-2013-5645 > > [1] > > http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github > > [2] > > http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github > > [3] http://trac.roundcube.net/ticket/1489251 > > [4] http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3 > > > > Please adjust the affected versions in the BTS as needed. At least > > 0.9.2 looks affected. > > Hi Salvatore! > > Previous versions are likely to be affected too. I will try to backport > the patches. For version in Jessie and unstable, I will just upload > 0.9.3.
Thanks for your quick reply! From what I see about the vulnerability, I would say this does not warrant a DSA, as the exploitability seems to be limited to a user-assisted remote attacker. Do you agree on that conclusion? If yes I will mark this in the security-tracker appropriately. Could you address in that case the updates trough a proposed-update instead? Regards, Salvatore
signature.asc
Description: Digital signature
