Minor bug fix version: * Security: Fix possible CSRF attacks to some address book operations as well as to the ACL and Managesieve plugins. * Fix attachments encoded in TNEF containers (from Outlook) * Fix compatibility with PHP 5.2 Reproducible: Always
CVE-2014-9587 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9587): Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins.
Maintainers, please add arches when =mail-client/roundcube-1.0.4 is ready for stabilization.
(In reply to Sean Amoss from comment #2) > Maintainers, please add arches when =mail-client/roundcube-1.0.4 is ready > for stabilization. I'd say you'd want to stabilize 1.0.5 now instead, go ahead with that.
Arches, please test and mark stable: =mail-client/roundcube-1.0.5 Target Keywords : "amd64 arm ppc x86" Thank you!
amd64 stable
arm stable
CVE-2015-1433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1433): program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email.
x86 stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No
Arches and Maintainer(s), Thank you for your work.
GLSA vote: no. Closing as [noglsa]