1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 2787-1] roundcube security update

    From Salvatore Bonaccorso@1:229/2 to All on Sun Oct 27 10:00:01 2013
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-2787-1 [email protected] http://www.debian.org/security/ Salvatore Bonaccorso October 27, 2013 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : roundcube
    Vulnerability : design error
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2013-6172
    Debian Bug : 727668

    It was discovered that roundcube, a skinnable AJAX based webmail
    solution for IMAP servers, does not properly sanitize the _session
    parameter in steps/utils/save_pref.inc during saving preferences. The vulnerability can be exploited to overwrite configuration settings and subsequently allowing random file access, manipulated SQL queries and
    even code execution.

    roundcube in the oldstable distribution (squeeze) is not affected by
    this problem.

    For the stable distribution (wheezy), this problem has been fixed in
    version 0.7.2-9+deb7u1.

    For the unstable distribution (sid), this problem will be fixed soon.

    We recommend that you upgrade your roundcube packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.15 (GNU/Linux)

    iQIcBAEBCgAGBQJSbNQmAAoJEAVMuPMTQ89E6zYP/0tlZhlEgadu7xvTauny/zim RV2WCJFLmRMCGZYhCiOJ2ND50fAnn62CdO+vnWN3JH5FH0KIngLmtGfrq+EPjLwj rFPGMPKRDZRag8oV3SeKbsHlrcMHS5H/B9GhILst3+32pbwoBE7aH5+wTMYHshsF TK0whlv73RZge6njPfzqvdkSoIgCLYx4Mc+pXP/pC+wOaSiD/gMjKBh51DoOwpnB r7rfs7wmy4Ke1Ljsw35LceX64kCP8YC9d7FUPZc8SxUKEk3eojrhnSzpDUBt+Pvl /S8nAbCbbrosh464szwXL4w6gcZIDDJgvy3u3aTn+XvRCoK6cr8RrdMbBQibR1Xb 9hCdieOs0pkNbBI4yE6bivztAolHlfAwvsgFPcMv3fM26gAsSOC8SRrzRqQrqqqk 1jfUqJETE+W0FkjmZa4W6JiDm78ZP4DNFQCrITRaealMgo2dh2uKua/4PmaBwjJ/ /lrukur5D6mCcLxFEpRA9TwDYVcvWE3cCVL9WhaMBNRJWiuKuaamOujO7jPtzga8 uJZWGKQNTd4rB6WHN4uN2wqltPH3lOIxvOd+2Uu9P9mDwQkgfrQ0s/hwjB3dpPWO vNqHSeK2j8RZPDD4reulRFC4vEbI3MCXOUcyc+JqgI9Pa61Y0qrM6PwWyoPTDROr PGySE+o+FGBjlugiGG51
    =CNJm
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)