CVE-2010-0464 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0464): Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.
FYI: Patch exists. http://trac.roundcube.net/changeset/3293
I've added a new revision in the tree that applies a version of the upstream patch. I'll leave this bug open until the new revision or newer version is stabilized.
Arches, please test and mark stable: =mail-client/roundcube-0.4 Target keywords : "amd64 arm ppc ppc64 x86"
If it's not too late, can we move to stabilizing roundcube-0.4.1 instead? It was released and added to the tree less than a day after your first stable request.
(In reply to comment #4) > If it's not too late, can we move to stabilizing roundcube-0.4.1 instead? It > was released and added to the tree less than a day after your first stable > request. > Only if it fixed a showstopper bug in 0.4. Early stabilizations are granted for security updates only, however in the case of a serious regression, the stable target can be reconsidered, but that's a decision to be made for the specific case.
(In reply to comment #5) > Only if it fixed a showstopper bug in 0.4. Early stabilizations are granted for > security updates only, however in the case of a serious regression, the stable > target can be reconsidered, but that's a decision to be made for the specific > case. I don't think I'd call any of bugs that were fixed showstoppers so stabilizing roundcube-0.4 is fine.
I tested mail-client/roundcube-0.4 on x86 against my dovecot imap server and it seems to work flawless!
amd64 done
x86 stable, thanks Andreas
ppc64 done
ppc done
arm stable, all arches done.
Just a minor information leak. Closing noglsa, feel free to reopen. Can you please remove the older, vulnerable versions?
(In reply to comment #13) > Can you please remove the older, vulnerable versions? Done.
Thanks! :)