OoO En cette nuit nuageuse du jeudi 05 février 2009, vers 00:13, Steffen Joeris <steffen.joe...@skolelinux.de> disait :
> Package: roundcube > Version: 0.2~alpha-4 > Severity: important > Tags: security > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for roundcube. > CVE-2009-0413[0]: > | Cross-site scripting (XSS) vulnerability in RoundCube Webmail > | (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary > | web script or HTML via the background attribute embedded in an HTML > | e-mail message. > This bugreport concerns the experimental version. The other versions > don't seem to be affected after a quick glance. The published upstream > patch is here[1]. > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry. Hi Steffen! From my knowledge, 0.1.1 and 0.2alpha are not affected because the background attribute is not accepted at all. The patch also fixes a regexp and I don't know if this is related to a security issue. I will ask upstream about this. Until I get a confirmation, I leave the report as is. I hope that roundcube won't be removed from lenny. ;-) Thanks for the report. -- BOFH excuse #328: Fiber optics caused gas main leak
pgpjlvfB4fN9j.pgp
Description: PGP signature
