Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 482206 (CVE-2013-5645) - <mail-client/roundcube-0.9.3 - two XSS vulnerabilities with HTML messages and signatures (CVE-2013-5645)
Summary: <mail-client/roundcube-0.9.3 - two XSS vulnerabilities with HTML messages and...
Status: RESOLVED FIXED
Alias: CVE-2013-5645
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://sourceforge.net/p/roundcubemai...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-23 12:43 UTC by Philippe Chaintreuil
Modified: 2013-09-30 22:49 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philippe Chaintreuil 2013-08-23 12:43:06 UTC
Roundcube has released a bug fix version of their new 0.9.x line.  Contains bug fixes and a fix for "wo recently reposted XSS vulnerabilities with HTML messages and signatures".

Probably just needs the 0.9.2 ebuild to be renamed.

Reproducible: Always
Comment 1 Agostino Sarubbo gentoo-dev 2013-08-23 12:50:13 UTC
Thanks for the report.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 17:48:39 UTC
CVE-2013-5645 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5645):
  Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail
  before 0.9.3 allow user-assisted remote attackers to inject arbitrary web
  script or HTML via the body of a message visited in (1) new or (2) draft
  mode, related to compose.inc; and (3) might allow remote authenticated users
  to inject arbitrary web script or HTML via an HTML signature, related to
  save_identity.inc.
Comment 3 Tim Harder gentoo-dev 2013-09-04 09:54:36 UTC
Arches, please stabilize:
=mail-client/roundcube-0.9.3
Comment 4 Agostino Sarubbo gentoo-dev 2013-09-04 13:25:46 UTC
amd64 stable
Comment 5 Markus Meier gentoo-dev 2013-09-08 15:46:27 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-09-12 17:37:53 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-09-14 10:14:47 UTC
x86 stable
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-30 22:49:46 UTC
Closing noglsa for XSS.