Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [SECURITY] [DSA 2787-1] roundcube security update

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [SECURITY] [DSA 2787-1] roundcube security update


Chronologisch Thread 
  • From: Salvatore Bonaccorso <carnil AT debian.org>
  • To: debian-security-announce AT lists.debian.org
  • Subject: [IT-SecNots] [SECURITY] [DSA 2787-1] roundcube security update
  • Date: Sun, 27 Oct 2013 08:53:13 +0000
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
  • Old-return-path: <carnil AT master.debian.org>
  • Priority: urgent
  • Resent-date: Sun, 27 Oct 2013 08:53:34 +0000 (UTC)
  • Resent-from: debian-security-announce AT lists.debian.org
  • Resent-message-id: <ZAZ8Hka1epE.A.niE.OSNbSB@bendel>
  • Resent-sender: debian-security-announce-request AT lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2787-1 security AT debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
October 27, 2013 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : roundcube
Vulnerability : design error
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-6172
Debian Bug : 727668

It was discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, does not properly sanitize the _session
parameter in steps/utils/save_pref.inc during saving preferences. The
vulnerability can be exploited to overwrite configuration settings and
subsequently allowing random file access, manipulated SQL queries and
even code execution.

roundcube in the oldstable distribution (squeeze) is not affected by
this problem.

For the stable distribution (wheezy), this problem has been fixed in
version 0.7.2-9+deb7u1.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your roundcube packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce AT lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSbNQmAAoJEAVMuPMTQ89E6zYP/0tlZhlEgadu7xvTauny/zim
RV2WCJFLmRMCGZYhCiOJ2ND50fAnn62CdO+vnWN3JH5FH0KIngLmtGfrq+EPjLwj
rFPGMPKRDZRag8oV3SeKbsHlrcMHS5H/B9GhILst3+32pbwoBE7aH5+wTMYHshsF
TK0whlv73RZge6njPfzqvdkSoIgCLYx4Mc+pXP/pC+wOaSiD/gMjKBh51DoOwpnB
r7rfs7wmy4Ke1Ljsw35LceX64kCP8YC9d7FUPZc8SxUKEk3eojrhnSzpDUBt+Pvl
/S8nAbCbbrosh464szwXL4w6gcZIDDJgvy3u3aTn+XvRCoK6cr8RrdMbBQibR1Xb
9hCdieOs0pkNbBI4yE6bivztAolHlfAwvsgFPcMv3fM26gAsSOC8SRrzRqQrqqqk
1jfUqJETE+W0FkjmZa4W6JiDm78ZP4DNFQCrITRaealMgo2dh2uKua/4PmaBwjJ/
/lrukur5D6mCcLxFEpRA9TwDYVcvWE3cCVL9WhaMBNRJWiuKuaamOujO7jPtzga8
uJZWGKQNTd4rB6WHN4uN2wqltPH3lOIxvOd+2Uu9P9mDwQkgfrQ0s/hwjB3dpPWO
vNqHSeK2j8RZPDD4reulRFC4vEbI3MCXOUcyc+JqgI9Pa61Y0qrM6PwWyoPTDROr
PGySE+o+FGBjlugiGG51
=CNJm
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST AT lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster AT lists.debian.org
Archive: E1VaM5x-00067z-Tt AT master.debian.org">http://lists.debian.org/E1VaM5x-00067z-Tt AT master.debian.org




  • [IT-SecNots] [SECURITY] [DSA 2787-1] roundcube security update, Salvatore Bonaccorso, 27.10.2013

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang