Debian Bug report logs -
#514179
CVE-2009-0413: possible XSS issue
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Wed, 4 Feb 2009 23:18:01 UTC
Severity: important
Tags: security
Found in version roundcube/0.2~alpha-4
Fixed in version roundcube/0.2~stable-1
Done: Vincent Bernat <bernat@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#514179
; Package roundcube
.
(Wed, 04 Feb 2009 23:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
New Bug report received and forwarded. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Wed, 04 Feb 2009 23:18:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: roundcube
Version: 0.2~alpha-4
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for roundcube.
CVE-2009-0413[0]:
| Cross-site scripting (XSS) vulnerability in RoundCube Webmail
| (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary
| web script or HTML via the background attribute embedded in an HTML
| e-mail message.
This bugreport concerns the experimental version. The other versions
don't seem to be affected after a quick glance. The published upstream
patch is here[1].
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0413
http://security-tracker.debian.net/tracker/CVE-2009-0413
[1] http://trac.roundcube.net/changeset/2245
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#514179
; Package roundcube
.
(Fri, 06 Feb 2009 06:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Bernat <bernat@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Fri, 06 Feb 2009 06:39:03 GMT) (full text, mbox, link).
Message #10 received at 514179@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
OoO En cette nuit nuageuse du jeudi 05 février 2009, vers 00:13, Steffen
Joeris <steffen.joeris@skolelinux.de> disait :
> Package: roundcube
> Version: 0.2~alpha-4
> Severity: important
> Tags: security
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for roundcube.
> CVE-2009-0413[0]:
> | Cross-site scripting (XSS) vulnerability in RoundCube Webmail
> | (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary
> | web script or HTML via the background attribute embedded in an HTML
> | e-mail message.
> This bugreport concerns the experimental version. The other versions
> don't seem to be affected after a quick glance. The published upstream
> patch is here[1].
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
Hi Steffen!
From my knowledge, 0.1.1 and 0.2alpha are not affected because the
background attribute is not accepted at all.
The patch also fixes a regexp and I don't know if this is related to a
security issue. I will ask upstream about this.
Until I get a confirmation, I leave the report as is. I hope that
roundcube won't be removed from lenny. ;-)
Thanks for the report.
--
BOFH excuse #328:
Fiber optics caused gas main leak
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#514179
; Package roundcube
.
(Mon, 09 Feb 2009 18:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Bernat <bernat@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Mon, 09 Feb 2009 18:03:02 GMT) (full text, mbox, link).
Message #15 received at 514179@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
OoO En cette nuit nuageuse du jeudi 05 février 2009, vers 00:13, Steffen
Joeris <steffen.joeris@skolelinux.de> disait :
> | Cross-site scripting (XSS) vulnerability in RoundCube Webmail
> | (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary
> | web script or HTML via the background attribute embedded in an HTML
> | e-mail message.
> This bugreport concerns the experimental version. The other versions
> don't seem to be affected after a quick glance. The published upstream
> patch is here[1].
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
After some investigations, we discovered that roundcube 0.1.1 is
vulnerable to this XSS attack but is also vulnerable to many others,
even trivial ones.
We believe that we cannot fix those security issues with simple
patches. The best way to handle them would be to upgrade to 0.2 which is
not ready for unstable yet (and cannot run in Lenny because of missing
dependencies).
Therefore, it seems to be safer to just remove roundcube from Lenny.
--
Avoid unnecessary branches.
- The Elements of Programming Style (Kernighan & Plauger)
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#514179
; Package roundcube
.
(Mon, 09 Feb 2009 22:42:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Luk Claes <luk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Mon, 09 Feb 2009 22:42:11 GMT) (full text, mbox, link).
Message #20 received at 514179@bugs.debian.org (full text, mbox, reply):
Vincent Bernat wrote:
> OoO En cette nuit nuageuse du jeudi 05 février 2009, vers 00:13, Steffen
> Joeris <steffen.joeris@skolelinux.de> disait :
>
>> | Cross-site scripting (XSS) vulnerability in RoundCube Webmail
>> | (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary
>> | web script or HTML via the background attribute embedded in an HTML
>> | e-mail message.
>
>> This bugreport concerns the experimental version. The other versions
>> don't seem to be affected after a quick glance. The published upstream
>> patch is here[1].
>
>> If you fix the vulnerability please also make sure to include the
>> CVE id in your changelog entry.
>
> After some investigations, we discovered that roundcube 0.1.1 is
> vulnerable to this XSS attack but is also vulnerable to many others,
> even trivial ones.
>
> We believe that we cannot fix those security issues with simple
> patches. The best way to handle them would be to upgrade to 0.2 which is
> not ready for unstable yet (and cannot run in Lenny because of missing
> dependencies).
>
> Therefore, it seems to be safer to just remove roundcube from Lenny.
removal hint added
Cheers
Luk
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#514179
; Package roundcube
.
(Tue, 10 Feb 2009 19:36:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Tue, 10 Feb 2009 19:36:05 GMT) (full text, mbox, link).
Message #25 received at 514179@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Montag, 9. Februar 2009, Luk Claes wrote:
> > After some investigations, we discovered that roundcube 0.1.1 is
> > vulnerable to this XSS attack but is also vulnerable to many others,
> > even trivial ones.
> >
> > We believe that we cannot fix those security issues with simple
> > patches. The best way to handle them would be to upgrade to 0.2 which is
> > not ready for unstable yet (and cannot run in Lenny because of missing
> > dependencies).
> >
> > Therefore, it seems to be safer to just remove roundcube from Lenny.
> removal hint added
And what about the version in etch-backports now?
regards,
Holger
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#514179
; Package roundcube
.
(Wed, 11 Feb 2009 18:30:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Bernat <bernat@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Wed, 11 Feb 2009 18:30:09 GMT) (full text, mbox, link).
Message #30 received at 514179@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
OoO En cette fin de matinée radieuse du mardi 10 février 2009, vers
11:30, Holger Levsen <holger@layer-acht.org> disait :
>> > After some investigations, we discovered that roundcube 0.1.1 is
>> > vulnerable to this XSS attack but is also vulnerable to many others,
>> > even trivial ones.
>> >
>> > We believe that we cannot fix those security issues with simple
>> > patches. The best way to handle them would be to upgrade to 0.2 which is
>> > not ready for unstable yet (and cannot run in Lenny because of missing
>> > dependencies).
>> >
>> > Therefore, it seems to be safer to just remove roundcube from Lenny.
>> removal hint added
> And what about the version in etch-backports now?
It should be vulnerable too. Would it be possible to upgrade to 0.2-alpha?
--
printk("Illegal format on cdrom. Pester manufacturer.\n");
2.2.16 /usr/src/linux/fs/isofs/inode.c
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#514179
; Package roundcube
.
(Wed, 11 Feb 2009 18:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Wed, 11 Feb 2009 18:54:03 GMT) (full text, mbox, link).
Message #35 received at 514179@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Mittwoch, 11. Februar 2009, Vincent Bernat wrote:
> It should be vulnerable too. Would it be possible to upgrade to 0.2-alpha?
Besides that it's in experimental atm, do you have a way to reduce it's
depends to something which is in etch/bpo or at least lenny?
(And I'm not sure Alexander will like it. But then the question how to proceed
is still open. Remove it and send a mail to bpo-announce and inform people?)
Do you have 0.2 running on etch somewhere?
regards,
Holger
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#514179
; Package roundcube
.
(Wed, 11 Feb 2009 19:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Bernat <bernat@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Wed, 11 Feb 2009 19:00:02 GMT) (full text, mbox, link).
Message #40 received at 514179@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
OoO Pendant le repas du mercredi 11 février 2009, vers 19:52, Holger
Levsen <holger@layer-acht.org> disait :
> On Mittwoch, 11. Februar 2009, Vincent Bernat wrote:
>> It should be vulnerable too. Would it be possible to upgrade to 0.2-alpha?
> Besides that it's in experimental atm, do you have a way to reduce it's
> depends to something which is in etch/bpo or at least lenny?
0.2alpha should run fine in Etch if you reenable the following patch:
fix-too-old-php-mail-mime.patch
The future 0.2stable will need more work (even for lenny) since it uses
mdb.
--
printk("??? No FDIV bug? Lucky you...\n");
2.2.16 /usr/src/linux/include/asm-i386/bugs.h
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#514179
; Package roundcube
.
(Wed, 11 Feb 2009 19:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Wed, 11 Feb 2009 19:21:05 GMT) (full text, mbox, link).
Message #45 received at 514179@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Vincent,
On Mittwoch, 11. Februar 2009, Vincent Bernat wrote:
> 0.2alpha should run fine in Etch if you reenable the following patch:
> fix-too-old-php-mail-mime.patch
ok, just like on bpo now :)
> The future 0.2stable will need more work (even for lenny) since it uses
> mdb.
hmpf. 0.2 stable is not really future (as you'll know), but current. So I
expect 0.2alpha to also have important issues which are fixed in 0.2.x in the
short or long run, so no real gain IMHO...
regards,
Holger
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#514179
; Package roundcube
.
(Thu, 12 Feb 2009 02:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Bernat <bernat@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Thu, 12 Feb 2009 02:06:02 GMT) (full text, mbox, link).
Message #50 received at 514179@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
OoO Pendant le journal télévisé du mercredi 11 février 2009, vers 20:20,
Holger Levsen <holger@layer-acht.org> disait :
>> The future 0.2stable will need more work (even for lenny) since it uses
>> mdb.
> hmpf. 0.2 stable is not really future (as you'll know), but current. So I
> expect 0.2alpha to also have important issues which are fixed in 0.2.x in the
> short or long run, so no real gain IMHO...
Well, it does not have this XSS issue, so it is an improvement over 0.1.1.
--
die_if_kernel("Kernel gets FloatingPenguinUnit disabled trap", regs);
2.2.16 /usr/src/linux/arch/sparc/kernel/traps.c
[Message part 2 (application/pgp-signature, inline)]
Reply sent
to Vincent Bernat <bernat@debian.org>
:
You have taken responsibility.
(Sun, 15 Feb 2009 17:45:30 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(Sun, 15 Feb 2009 17:45:30 GMT) (full text, mbox, link).
Message #55 received at 514179-close@bugs.debian.org (full text, mbox, reply):
Source: roundcube
Source-Version: 0.2~stable-1
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive:
roundcube-core_0.2~stable-1_all.deb
to pool/main/r/roundcube/roundcube-core_0.2~stable-1_all.deb
roundcube-mysql_0.2~stable-1_all.deb
to pool/main/r/roundcube/roundcube-mysql_0.2~stable-1_all.deb
roundcube-pgsql_0.2~stable-1_all.deb
to pool/main/r/roundcube/roundcube-pgsql_0.2~stable-1_all.deb
roundcube-sqlite_0.2~stable-1_all.deb
to pool/main/r/roundcube/roundcube-sqlite_0.2~stable-1_all.deb
roundcube_0.2~stable-1.diff.gz
to pool/main/r/roundcube/roundcube_0.2~stable-1.diff.gz
roundcube_0.2~stable-1.dsc
to pool/main/r/roundcube/roundcube_0.2~stable-1.dsc
roundcube_0.2~stable-1_all.deb
to pool/main/r/roundcube/roundcube_0.2~stable-1_all.deb
roundcube_0.2~stable.orig.tar.gz
to pool/main/r/roundcube/roundcube_0.2~stable.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 514179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 15 Feb 2009 16:18:58 +0100
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql roundcube-sqlite
Architecture: source all
Version: 0.2~stable-1
Distribution: unstable
Urgency: low
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description:
roundcube - skinnable AJAX based webmail solution for IMAP servers - metapack
roundcube-core - skinnable AJAX based webmail solution for IMAP servers
roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
roundcube-sqlite - metapackage providing sqlite dependencies for RoundCube
Closes: 473794 503573 504570 508752 514179
Changes:
roundcube (0.2~stable-1) unstable; urgency=low
.
* New upstream version. Closes: #503573, #504570.
+ Add SQL update scripts for this new release and for
0.2~alpha. Remove copy of SQL upgrade script from debian/rules.
+ Remove patch for CVE-2008-5620 which is now fixed upstream.
+ Remove patch correcting a vulnerability in html2text.php.
+ Remove patch fixing login issue. This is fixed upstream.
+ Remove patch setting the default backend to db instead of mdb2:
this is not possible any more. We depend on php-mdb2 now.
+ Update patch to use packaged tinymce.
* Upload to unstable since Lenny is out.
* Apply fix for XSS issue (CVE-2009-0413). Closes: #514179.
* Remove hack to update a SQLite table for an upgrade from a quite old
version of roundcube.
* Fix pending l10n issues:
+ Update English debconf template. Closes: #473794.
+ Add Swedish translation thanks to Martin Bagge. Closes: #508752.
* Fix debian/copyright to make lintian happy.
Checksums-Sha1:
a9602a087edd88631c35d43bf38c2b10b57dcf4b 1417 roundcube_0.2~stable-1.dsc
23bedb1baa91a67ca14a05aa4acae413c8bf7fc6 1186285 roundcube_0.2~stable.orig.tar.gz
03a75af4ecb98a37af5715f7ec057113d53f0c4e 26700 roundcube_0.2~stable-1.diff.gz
65fe00e00afc48431bc86924c06c367c0ae1aec8 696628 roundcube-core_0.2~stable-1_all.deb
886183bf33ab7dc4d296698a0ac04ff6489169b0 14672 roundcube_0.2~stable-1_all.deb
195cd341378bddc3c281e71a0f509604eeae2d68 13992 roundcube-mysql_0.2~stable-1_all.deb
3575afcc2e5a5ee39cb4b555ff1cbcbce447acd7 13996 roundcube-pgsql_0.2~stable-1_all.deb
af057aa7f209f68dc82f76e6d48fb35fefb3c23b 13962 roundcube-sqlite_0.2~stable-1_all.deb
Checksums-Sha256:
9b8f42a3d3d3dde6f7ad03937841f8c0ebefd5649eb369560ef1b008488afb86 1417 roundcube_0.2~stable-1.dsc
63757d57bcb4f0fab306bcf9517e9714b32df249af72f7f93b9faf77c081fd07 1186285 roundcube_0.2~stable.orig.tar.gz
3a0cc90ece88e6d79dd0231bc13af73cd6e49ec095105a8ef034f2b8bfbbd216 26700 roundcube_0.2~stable-1.diff.gz
5bb7a49b358607848fe6a1aae42ced06890a00a4c95db53cbb56aa3786b2eb67 696628 roundcube-core_0.2~stable-1_all.deb
f5174dd71f64a702e30a6afbe6920ea7d193b376f1e7d693a641bd8dab2633ca 14672 roundcube_0.2~stable-1_all.deb
51543b7bdb98a3ffa6b0fcfd61fb0a59ce6598df7a84ac8cd3ff049feb3fcba9 13992 roundcube-mysql_0.2~stable-1_all.deb
77c8cef82bbb664b296b1594e83cf305b3cb21020e535f962f22f08b913c9998 13996 roundcube-pgsql_0.2~stable-1_all.deb
df0c23a8464d57420f0b20eea3e4700c1b1d612e416e3a5bfd18666299f7af4e 13962 roundcube-sqlite_0.2~stable-1_all.deb
Files:
ff50ac63e97f8ccf476919960efba356 1417 web extra roundcube_0.2~stable-1.dsc
dac7776b063bf2314f7d7730af2b1b0f 1186285 web extra roundcube_0.2~stable.orig.tar.gz
24aeb23dfc6ed6cf293e4639708df91d 26700 web extra roundcube_0.2~stable-1.diff.gz
3e9559c144ef87b50aee302976085435 696628 web extra roundcube-core_0.2~stable-1_all.deb
ddb189f5a92bd62ad936124fbae5c876 14672 web extra roundcube_0.2~stable-1_all.deb
388a796f9ad8565442b9dee909309c9c 13992 web extra roundcube-mysql_0.2~stable-1_all.deb
556575a66a9244b31e5d033e2e99bd34 13996 web extra roundcube-pgsql_0.2~stable-1_all.deb
3d0795167d24c522162ab57306fc1f47 13962 web extra roundcube-sqlite_0.2~stable-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmYTTkACgkQKFvXofIqeU4r4ACfW12giHgsLzimGX1JtgWqFLEy
XoAAn24tnvOW9/aTKSa7ETR1ztRNgR5j
=55EP
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 16 Mar 2009 10:08:24 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:47:31 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.