OoO En cette nuit nuageuse du jeudi 05 février 2009, vers 00:13, Steffen
Joeris <steffen.joeris@skolelinux.de> disait :
> | Cross-site scripting (XSS) vulnerability in RoundCube Webmail
> | (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary
> | web script or HTML via the background attribute embedded in an HTML
> | e-mail message.
> This bugreport concerns the experimental version. The other versions
> don't seem to be affected after a quick glance. The published upstream
> patch is here[1].
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
After some investigations, we discovered that roundcube 0.1.1 is
vulnerable to this XSS attack but is also vulnerable to many others,
even trivial ones.
We believe that we cannot fix those security issues with simple
patches. The best way to handle them would be to upgrade to 0.2 which is
not ready for unstable yet (and cannot run in Lenny because of missing
dependencies).
Therefore, it seems to be safer to just remove roundcube from Lenny.
--
Avoid unnecessary branches.
- The Elements of Programming Style (Kernighan & Plauger)
Attachment:
pgpoXteYQ_isF.pgp
Description: PGP signature