Debian Bug report logs -
#569660
CVE-2010-0464: privacy compromise via DNS prefetching in web mail
Reported by: Giuseppe Iuculano <iuculano@debian.org>
Date: Sat, 13 Feb 2010 09:12:02 UTC
Severity: serious
Tags: security
Fixed in version roundcube/0.3.1-3
Done: Vincent Bernat <bernat@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>:
Bug#569660; Package roundcube.
(Sat, 13 Feb 2010 09:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <iuculano@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>.
(Sat, 13 Feb 2010 09:12:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: roundcube
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for roundcube.
CVE-2010-0464[0]:
| Roundcube 0.3.1 and earlier does not request that the web browser
| avoid DNS prefetching of domain names contained in e-mail messages,
| which makes it easier for remote attackers to determine the network
| location of the webmail user by logging DNS requests.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0464
http://security-tracker.debian.org/tracker/CVE-2010-0464
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkt2a1AACgkQNxpp46476aqbVQCgjVhdiFuv7zrLMYX3Jz1LEoKh
R8oAnjVFFSjRSKBbizv9paoqUVLjPlaz
=GhXa
-----END PGP SIGNATURE-----
Reply sent
to Vincent Bernat <bernat@debian.org>:
You have taken responsibility.
(Sat, 13 Feb 2010 10:18:36 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <iuculano@debian.org>:
Bug acknowledged by developer.
(Sat, 13 Feb 2010 10:18:37 GMT) (full text, mbox, link).
Message #10 received at 569660-close@bugs.debian.org (full text, mbox, reply):
Source: roundcube
Source-Version: 0.3.1-3
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive:
roundcube-core_0.3.1-3_all.deb
to main/r/roundcube/roundcube-core_0.3.1-3_all.deb
roundcube-mysql_0.3.1-3_all.deb
to main/r/roundcube/roundcube-mysql_0.3.1-3_all.deb
roundcube-pgsql_0.3.1-3_all.deb
to main/r/roundcube/roundcube-pgsql_0.3.1-3_all.deb
roundcube-sqlite_0.3.1-3_all.deb
to main/r/roundcube/roundcube-sqlite_0.3.1-3_all.deb
roundcube_0.3.1-3.diff.gz
to main/r/roundcube/roundcube_0.3.1-3.diff.gz
roundcube_0.3.1-3.dsc
to main/r/roundcube/roundcube_0.3.1-3.dsc
roundcube_0.3.1-3_all.deb
to main/r/roundcube/roundcube_0.3.1-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 569660@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 13 Feb 2010 10:21:49 +0100
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql roundcube-sqlite
Architecture: source all
Version: 0.3.1-3
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description:
roundcube - skinnable AJAX based webmail solution for IMAP servers - metapack
roundcube-core - skinnable AJAX based webmail solution for IMAP servers
roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
roundcube-sqlite - metapackage providing sqlite dependencies for RoundCube
Closes: 567550 568360 568537 569660
Changes:
roundcube (0.3.1-3) unstable; urgency=high
.
* RFC 5321, section 4.5.3.1, asks to not impose any limits on length if
possible. We respect this by dropping limitation of the local-part of
an email address. Closes: #568360, #568537.
* Suggests php-auth-sasl to enable use of SASL mechanisms for mail
servers. Closes: #567550.
* Disable DNS prefetching to avoid information leakage through links
embedded in messages. This fixes CVE-2010-0464. Closes: #569660.
* Bump Standards-Version. No changes required.
Checksums-Sha1:
fabac23b6588f78cf3a56a06d2d0e0f7e2f9109a 1376 roundcube_0.3.1-3.dsc
1aaf9b441dde15983bf470e580155402ad6fdf6d 32303 roundcube_0.3.1-3.diff.gz
cb0ab3b9abc1a6288db15f407de0f7e133173e52 720024 roundcube-core_0.3.1-3_all.deb
36c0ef8bc67487068b04c2436a373ad5615e1959 12332 roundcube_0.3.1-3_all.deb
87a5112b8c2ef879bfe2f1a41fff532ac87f17dc 11622 roundcube-mysql_0.3.1-3_all.deb
0ab59247ef529730d5c4d5cc989b0c7d5823c2ea 11620 roundcube-pgsql_0.3.1-3_all.deb
a483038ddb57346db0214db4b6d20c6c34412e85 11590 roundcube-sqlite_0.3.1-3_all.deb
Checksums-Sha256:
0c2c5c738c086419e148dfeaff20ebd7a6263b6debae66859921c105fbe3edd5 1376 roundcube_0.3.1-3.dsc
b0217e357253f4c95dba0ce91c2df84b35f31729ab6f9ff320354b7c986eaa3f 32303 roundcube_0.3.1-3.diff.gz
6db15b2e8e5d800d85c7baeb016e9af5126e9361ee980d3d43d756a0de3a1bf1 720024 roundcube-core_0.3.1-3_all.deb
b5fd36ef9c26fdfde2f4e64ada3a5dd0128e964f75337a269b091179797ee5ac 12332 roundcube_0.3.1-3_all.deb
754739471260c393069a96fb44fbe57ee9581d500cc2269bbaf8b4e76aba0919 11622 roundcube-mysql_0.3.1-3_all.deb
1c233e6a4828fb3e9111932fc1e99f190c62eae5fe247325d80cf43f798e10b0 11620 roundcube-pgsql_0.3.1-3_all.deb
511e2c46b8079aeb9139289638658631d60b31881fe108dda7f673eafae6e777 11590 roundcube-sqlite_0.3.1-3_all.deb
Files:
08f29aa33dca907e50597b2028b9319b 1376 web extra roundcube_0.3.1-3.dsc
6203bcd1584d782d80c5cdf91bd8a7d2 32303 web extra roundcube_0.3.1-3.diff.gz
7aa2074b8b175d8e534629c9a1b2a4af 720024 web extra roundcube-core_0.3.1-3_all.deb
66cc4a1408730f00a49c76d437e094f5 12332 web extra roundcube_0.3.1-3_all.deb
730cb26a33919ddf8009e2485f41f556 11622 web extra roundcube-mysql_0.3.1-3_all.deb
11c897b007523b03721ef553ec9cae1d 11620 web extra roundcube-pgsql_0.3.1-3_all.deb
44849451178c2b68c21be54195e534dc 11590 web extra roundcube-sqlite_0.3.1-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkt2cmcACgkQKFvXofIqeU6uogCff9MCNOAkreTpZaBKl7+7rOGF
/TIAmwY/Wwf0IJ9t+zLGaMQyPKkFtOha
=1LXY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 16 Mar 2010 07:36:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:49:55 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon