MDVSA-2010:015

Package name

roundcubemail

Date

2010-01-19

Advisory ID

MDVSA-2010:015

Affected versions

MES5 i586 , MES5 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in transmission:

A number of dependency probles were discovered and has been corrected
with this release (#56006).

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail
0.2.2 and earlier allows remote attackers to hijack the authentication
of unspecified users for requests that modify user information via
unspecified vectors, a different vulnerability than CVE-2009-4077
(CVE-2009-4076).

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail
0.2.2 and earlier allows remote attackers to hijack the authentication
of unspecified users for requests that send arbitrary emails via
unspecified vectors, a different vulnerability than CVE-2009-4076
(CVE-2009-4077).

The updated packages have been patched to correct these
issues. Additionally roundcubemail has been upgraded to 0.2.2 that
also fixes a number of upstream bugs.

Updated packages

MES5 i586

 a1f0123588ceb9641dcf271095c32a0c  mes5/i586/roundcubemail-0.2.2-0.1mdvmes5.noarch.rpm 
 9957258d449a99eea2065481183cb412  mes5/SRPMS/roundcubemail-0.2.2-0.1mdvmes5.src.rpm

MES5 x86_64

 bb7c6fb4c4d6c26fd352ef148e7dc099  mes5/x86_64/roundcubemail-0.2.2-0.1mdvmes5.noarch.rpm 
 9957258d449a99eea2065481183cb412  mes5/SRPMS/roundcubemail-0.2.2-0.1mdvmes5.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4077
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4076
• https://qa.mandriva.com/show_bug.cgi?id=56006