subject:"\[Bug 316550\] Re\: CVE\-2008\-5619 \- Roundcube vulnerable and actively exploited"

[Bug 316550] Re: CVE-2008-5619 - Roundcube vulnerable and actively exploited

2009-02-19 Thread Andrew Starr-Bochicchio

A few things, CVE 2008-5619  states "html2text.php in RoundCube Webmail
(roundcubemail) 0.2-1.alpha and 0.2-3.beta allows remote attackers to
execute arbitrary code via crafted input that is processed by the
preg_replace function with the eval switch. " These versions have never
entered Ubuntu.

I think you mean, CVE-2008-5620:

"RoundCube Webmail (roundcubemail) before 0.2-beta allows remote
attackers to cause a denial of service (memory consumption) via crafted
size parameters that are used to create a large quota image. "

This is already been fixed in Jaunty (by way of Debian):

roundcube (0.1.1-10) unstable; urgency=high

  * Fix a vulnerability in quota image generation. This fixes
CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596.
  * Add description to all patches.
  * Add missing ${misc:Depends} to debian/control.
  * Add missing dependency on php5-gd, used for quota bar.

Also, a sync to version 0.2~stable-1  has been approved in Bug #331220

All that said, CVE-2008-5620 does effect previous Ubuntu releases.
Thanks for taking the time to point this out.

Opening release specific tasks, so that the fix can be backported. Most
importantly to the LTS release.

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5620

** Changed in: roundcube (Ubuntu)
   Importance: Undecided => High
   Status: Confirmed => Fix Released

** Summary changed:

- CVE-2008-5619 - Roundcube vulnerable and actively exploited
+ CVE-2008-5620- Roundcube vulnerable and actively exploited

** Description changed:

  Binary package hint: roundcube
  
- Roundcube 0.1 - as shipped in the universe section of every current
- Ubuntu version - is vulnerable to remote code execution. This is
- currently exploited widely. See
+ Roundcube 0.1 - as shipped in the universe section of every Ubuntu
+ version before Jaunty - is vulnerable to a denial of service attack.
+ This is currently exploited widely. See
  
  http://www.milw0rm.com/exploits/7553
  http://www.directadmin.com/forum/showthread.php?p=147344
  http://directadmin.com/forum/showthread.php?p=147661
  http://www.webhostingtalk.com/showthread.php?t=748555
  http://forum.ubuntuusers.de/topic/was-ist-wssh/

** Tags added: security

-- 
CVE-2008-5620- Roundcube vulnerable and actively exploited
https://bugs.launchpad.net/bugs/316550
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 316550] Re: CVE-2008-5619 - Roundcube vulnerable and actively exploited

2009-01-13 Thread otzenpunk

I've added the Debian Bug link. There is another security related bug
fixed in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509596. The
changeset mentioned above covers both.

** Bug watch added: Debian Bug tracker #508628
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508628

** Also affects: roundcube (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508628
   Importance: Unknown
   Status: Unknown

-- 
CVE-2008-5619 - Roundcube vulnerable and actively exploited
https://bugs.launchpad.net/bugs/316550
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 316550] Re: CVE-2008-5619 - Roundcube vulnerable and actively exploited

2009-01-13 Thread otzenpunk

Sorry, I'm not sure if I can provide a debdiff, because I've never done
that before. Just in case there is somebody with a little more expertise
sitting out there. The changeset is here:
http://trac.roundcube.net/changeset/2162 The update notice here:
http://sourceforge.net/forum/forum.php?forum_id=898542

-- 
CVE-2008-5619 - Roundcube vulnerable and actively exploited
https://bugs.launchpad.net/bugs/316550
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 316550] Re: CVE-2008-5619 - Roundcube vulnerable and actively exploited

2009-01-13 Thread Marc Deslauriers

** Visibility changed to: Public

-- 
CVE-2008-5619 - Roundcube vulnerable and actively exploited
https://bugs.launchpad.net/bugs/316550
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 316550] Re: CVE-2008-5619 - Roundcube vulnerable and actively exploited

[Bug 316550] Re: CVE-2008-5619 - Roundcube vulnerable and actively exploited

[Bug 316550] Re: CVE-2008-5619 - Roundcube vulnerable and actively exploited

[Bug 316550] Re: CVE-2008-5619 - Roundcube vulnerable and actively exploited

4 matches

Site Navigation

Mail list logo

Footer information