Nome do pacote
roundcubemail
Data
2013-04-21
ID Alerta
MDVSA-2013:148
Versões afetadas
MES5 i586 , MES5 x86_64

Descrição do problema

Multiple vulnerabilities has been found and corrected in roundcubemail:

Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1
and earlier allows remote attackers to inject arbitrary web script
or HTML via the signature in an email (CVE-2012-4668).

A local file inclusion flaw was found in the way RoundCube Webmail,
a browser-based multilingual IMAP client, performed validation
of the 'generic_message_footer' value provided via web user
interface in certain circumstances. A remote attacker could issue a
specially-crafted request that, when processed by RoundCube Webmail
could allow an attacker to obtain arbitrary file on the system,
accessible with the privileges of the user running RoundCube Webmail
client (CVE-2013-1904).

The updated packages have been patched and upgraded to the 0.7.4
version which is not affected by these issues.

Pacotes atualizados

MES5 i586

 8115fa1ac36413ca54ead740972774b1  mes5/i586/roundcubemail-0.7.4-0.1mdvmes5.2.noarch.rpm 
 619c3f956f5220859a9ac4f9018d5434  mes5/SRPMS/roundcubemail-0.7.4-0.1mdvmes5.2.src.rpm

MES5 x86_64

 8cb680beb0aa440f9b4cba12cad146dc  mes5/x86_64/roundcubemail-0.7.4-0.1mdvmes5.2.noarch.rpm 
 619c3f956f5220859a9ac4f9018d5434  mes5/SRPMS/roundcubemail-0.7.4-0.1mdvmes5.2.src.rpm

Referências