From Mageia wiki
Jump to: navigation, search

MGASA-2012-0292

Date: October 11th, 2012
Affected releases: 2


Description:
Updated roundcubemail package fixes security vulnerabilities:

Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in
Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web
script or HTML by using "javascript:" in an href attribute in the body
of an HTML-formatted email (CVE-2012-3508).

Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and
earlier allows remote attackers to inject arbitrary web script or HTML
via the signature in an email (CVE-2012-4668).


Updated Packages:
roundcubemail-0.7.3-1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4668
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085777.html
http://trac.roundcube.net/wiki/Changelog#Release0.7.3
https://bugs.mageia.org/show_bug.cgi?id=7246