Minor bug fix version:
* Security: Fix possible CSRF attacks to some address book operations as well as to the ACL and Managesieve plugins.
* Fix attachments encoded in TNEF containers (from Outlook)
* Fix compatibility with PHP 5.2
Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube
Webmail before 1.0.4 allow remote attackers to hijack the authentication of
unspecified victims via unknown vectors, related to (1) address book
operations or the (2) ACL or (3) Managesieve plugins.
Maintainers, please add arches when =mail-client/roundcube-1.0.4 is ready for stabilization.
(In reply to Sean Amoss from comment #2)
> Maintainers, please add arches when =mail-client/roundcube-1.0.4 is ready
> for stabilization.
I'd say you'd want to stabilize 1.0.5 now instead, go ahead with that.
Arches, please test and mark stable:
Target Keywords : "amd64 arm ppc x86"
program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not
properly quote strings, which allows remote attackers to conduct cross-site
scripting (XSS) attacks via the style attribute in an email.
Maintainer(s), please cleanup.
Security, please vote.
Maintainer(s), please drop the vulnerable version(s).
GLSA Vote: No
Arches and Maintainer(s), Thank you for your work.
GLSA vote: no.
Closing as [noglsa]