Bug 294679 (CVE-2009-4076)

Summary:	<mail-client/roundcube-0.3.1 CSRF (CVE-2009-{4076,4077})
Product:	Gentoo Security	Reporter:	Alex Legler (RETIRED) <a3li>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	web-apps
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---

Description Alex Legler (RETIRED) archtester

2009-11-26 08:25:19 UTC

CVE-2009-4076 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4076):
  Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail
  0.2.2 and earlier allows remote attackers to hijack the
  authentication of unspecified users for requests that modify user
  information via unspecified vectors, a different vulnerability than
  CVE-2009-4077.

Comment 1 Alex Legler (RETIRED) archtester

2009-11-26 08:26:37 UTC

CVE-2009-4077 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4077):
  Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail
  0.2.2 and earlier allows remote attackers to hijack the
  authentication of unspecified users for requests that send arbitrary
  emails via unspecified vectors, a different vulnerability than
  CVE-2009-4076.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2009-11-26 17:07:02 UTC

Arches, please test and mark stable:
=mail-client/roundcube-0.3.1
Target keywords : "amd64 ppc ppc64 x86"

Comment 3 Christian Faulhammer (RETIRED) gentoo-dev

2009-11-27 12:42:42 UTC

x86 stable

Comment 4 Markus Meier gentoo-dev

2009-11-30 11:36:47 UTC

amd64 stable

Comment 5 Brent Baude (RETIRED) gentoo-dev

2009-11-30 18:22:30 UTC

ppc64 done

Comment 6 Joe Jezak (RETIRED) gentoo-dev

2010-01-05 02:18:46 UTC

Marked ppc stable.

Comment 7 Alex Legler (RETIRED) archtester

2010-08-12 08:09:58 UTC

Closing noglsa.

+  12 Aug 2010; Alex Legler <a3li@gentoo.org> -roundcube-0.2.2.ebuild,
+  -roundcube-0.3.1.ebuild:
+  Non-maintainer commit: Removing vulnerable versions for bug 294679.
+