A few things, CVE 2008-5619 states "html2text.php in RoundCube Webmail
(roundcubemail) 0.2-1.alpha and 0.2-3.beta allows remote attackers to
execute arbitrary code via crafted input that is processed by the
preg_replace function with the eval switch. " These versions have never
entered Ubuntu.
I think you mean, CVE-2008-5620:
"RoundCube Webmail (roundcubemail) before 0.2-beta allows remote
attackers to cause a denial of service (memory consumption) via crafted
size parameters that are used to create a large quota image. "
This is already been fixed in Jaunty (by way of Debian):
roundcube (0.1.1-10) unstable; urgency=high
* Fix a vulnerability in quota image generation. This fixes
CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596.
* Add description to all patches.
* Add missing ${misc:Depends} to debian/control.
* Add missing dependency on php5-gd, used for quota bar.
Also, a sync to version 0.2~stable-1 has been approved in Bug #331220
All that said, CVE-2008-5620 does effect previous Ubuntu releases.
Thanks for taking the time to point this out.
Opening release specific tasks, so that the fix can be backported. Most
importantly to the LTS release.
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5620
** Changed in: roundcube (Ubuntu)
Importance: Undecided => High
Status: Confirmed => Fix Released
** Summary changed:
- CVE-2008-5619 - Roundcube vulnerable and actively exploited
+ CVE-2008-5620- Roundcube vulnerable and actively exploited
** Description changed:
Binary package hint: roundcube
- Roundcube 0.1 - as shipped in the universe section of every current
- Ubuntu version - is vulnerable to remote code execution. This is
- currently exploited widely. See
+ Roundcube 0.1 - as shipped in the universe section of every Ubuntu
+ version before Jaunty - is vulnerable to a denial of service attack.
+ This is currently exploited widely. See
http://www.milw0rm.com/exploits/7553
http://www.directadmin.com/forum/showthread.php?p=147344
http://directadmin.com/forum/showthread.php?p=147661
http://www.webhostingtalk.com/showthread.php?t=748555
http://forum.ubuntuusers.de/topic/was-ist-wssh/
** Tags added: security
--
CVE-2008-5620- Roundcube vulnerable and actively exploited
https://bugs.launchpad.net/bugs/316550
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs