Holger Levsen uploaded a new package for roundcube which fixed the following security problems: CVE-2010-0464 Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests. For the lenny-backports distribution (lenny), these problems have been fixed in version 0.3.1-3~bpo50+1. Upgrade instructions --------------------- If you don't use pinning (see [1]) you have to update roundcube manually via "apt-get -t lenny-backports install roundcube". [1] <http://backports.org/dokuwiki/doku.php?id=instructions> We recommend to pin the backports repository to 200 so that new versions of installed backports will be installed automatically: Package: * Pin: release a=lenny-backports Pin-Priority: 200
Attachment:
signature.asc
Description: This is a digitally signed message part.