CVE-2012-4668 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4668): Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the signature in an email. CVE-2012-3508 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3508): Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email. CVE-2012-3507 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3507): Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in RoundCube Webmail before 0.8.0, when using the Larry skin, allows remote attackers to inject arbitrary web script or HTML via the email message subject. Note that the wording in CVE-2012-4668 is confusing: upstream states that the issues were fixed for 0.8.x in 0.8.1. However, they did not backport the fix to the 0.7.x branch. @web-apps: may we stabilize 0.8.1?
> @web-apps: may we stabilize 0.8.1? Go ahead.
(In reply to comment #1) > > @web-apps: may we stabilize 0.8.1? > > Go ahead. Thanks, Tim. Arches, please test and mark stable: =mail-client/roundcube-0.8.1
amd64 stable
x86 done.
arm stable
ppc stable
Thanks, everyone. Closing noglsa for XSS issues.