Vincent Bernat wrote: > OoO En cette nuit nuageuse du jeudi 05 février 2009, vers 00:13, Steffen > Joeris <steffen.joe...@skolelinux.de> disait : > >> | Cross-site scripting (XSS) vulnerability in RoundCube Webmail >> | (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary >> | web script or HTML via the background attribute embedded in an HTML >> | e-mail message. > >> This bugreport concerns the experimental version. The other versions >> don't seem to be affected after a quick glance. The published upstream >> patch is here[1]. > >> If you fix the vulnerability please also make sure to include the >> CVE id in your changelog entry. > > After some investigations, we discovered that roundcube 0.1.1 is > vulnerable to this XSS attack but is also vulnerable to many others, > even trivial ones. > > We believe that we cannot fix those security issues with simple > patches. The best way to handle them would be to upgrade to 0.2 which is > not ready for unstable yet (and cannot run in Lenny because of missing > dependencies). > > Therefore, it seems to be safer to just remove roundcube from Lenny.
removal hint added Cheers Luk -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
