Holger Levsen uploaded a new package for roundcube which fixed the
following security problems:
CVE-2010-0464
Roundcube 0.3.1 and earlier does not request that the web browser avoid
DNS prefetching of domain names contained in e-mail messages, which makes
it easier for remote attackers to determine the network location of the
webmail user by logging DNS requests.
For the lenny-backports distribution (lenny), these problems have been fixed
in version 0.3.1-3~bpo50+1.
If you don't use pinning (see [1]) you have to update roundcube
manually via "apt-get -t lenny-backports install roundcube".
[1] <http://backports.org/dokuwiki/doku.php?id=instructions>
We recommend to pin the backports repository to 200 so that new versions
of installed backports will be installed automatically:
Package: *
Pin: release a=lenny-backports
Pin-Priority: 200
Attachment:
signature.asc
Description: This is a digitally signed message part.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 5 | all | roundcube-core | < 0.3.1-3~bpo50+1 | roundcube-core_0.3.1-3~bpo50+1_all.deb |
Debian | 5 | all | roundcube-mysql | < 0.3.1-3~bpo50+1 | roundcube-mysql_0.3.1-3~bpo50+1_all.deb |
Debian | 5 | all | roundcube-sqlite | < 0.3.1-3~bpo50+1 | roundcube-sqlite_0.3.1-3~bpo50+1_all.deb |
Debian | 5 | all | roundcube-pgsql | < 0.3.1-3~bpo50+1 | roundcube-pgsql_0.3.1-3~bpo50+1_all.deb |
Debian | 5 | all | roundcube | < 0.3.1-3~bpo50+1 | roundcube_0.3.1-3~bpo50+1_all.deb |