Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 294679 (CVE-2009-4076) - <mail-client/roundcube-0.3.1 CSRF (CVE-2009-{4076,4077})
Summary: <mail-client/roundcube-0.3.1 CSRF (CVE-2009-{4076,4077})
Status: RESOLVED FIXED
Alias: CVE-2009-4076
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-26 08:25 UTC by Alex Legler (RETIRED)
Modified: 2010-08-12 08:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-26 08:25:19 UTC 
CVE-2009-4076 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4076):
  Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail
  0.2.2 and earlier allows remote attackers to hijack the
  authentication of unspecified users for requests that modify user
  information via unspecified vectors, a different vulnerability than
  CVE-2009-4077.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-26 08:26:37 UTC 
CVE-2009-4077 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4077):
  Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail
  0.2.2 and earlier allows remote attackers to hijack the
  authentication of unspecified users for requests that send arbitrary
  emails via unspecified vectors, a different vulnerability than
  CVE-2009-4076.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-11-26 17:07:02 UTC 
Arches, please test and mark stable:
=mail-client/roundcube-0.3.1
Target keywords : "amd64 ppc ppc64 x86"
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-27 12:42:42 UTC 
x86 stable
Comment 4 Markus Meier gentoo-dev 2009-11-30 11:36:47 UTC 
amd64 stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-11-30 18:22:30 UTC 
ppc64 done
Comment 6 Joe Jezak (RETIRED) gentoo-dev 2010-01-05 02:18:46 UTC 
Marked ppc stable.
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-12 08:09:58 UTC 
Closing noglsa.

+  12 Aug 2010; Alex Legler <a3li@gentoo.org> -roundcube-0.2.2.ebuild,
+  -roundcube-0.3.1.ebuild:
+  Non-maintainer commit: Removing vulnerable versions for bug 294679.
+