Source: roundcube Version: 0.9.5-1~bpo70+1 Severity: normal Tags: security The wheezy version of roundcube is seriously out of date. It is running a version that has no correspondance to the jessie version (it was dropped from jessie prior to release) or stretch (it was not updated since then).
The last upload was done by `Vincent Bernat <ber...@debian.org>`, one of the current uploaders. There are two ways out of this: * remove roundcube from wheezy-backports * update roundcube in wheezy-backports-sloppy It may be necessary to actually do both because normally, you can't have packages into $SUITE-backports that are not in $SUITE+1, hence the -sloppy. I stumbled upon this while doing secuirty triage for recent Roundcube security issues. Normally, backports are not part of that triage, but they are often covered eventually as the backports are updated from the corresponding source. I am worried that the 0.9.5 version in wheezy-backports is vulnerable to a bunch of security issues... https://security-tracker.debian.org/tracker/source-package/roundcube http://www.cvedetails.com/version/155252/Roundcube-Webmail-0.9.5.html Just looking at the above, roundcube in wheezy-backports seems vulnerable to http://www.cvedetails.com/cve/CVE-2013-6172/ steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code. -- System Information: Debian Release: 8.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (500, 'oldstable'), (1, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.2.0-0.bpo.1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team