From owner-freebsd-ports-bugs@FreeBSD.ORG Sun Jan 25 04:00:03 2009 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E53C81065687 for ; Sun, 25 Jan 2009 04:00:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9D98E8FC21 for ; Sun, 25 Jan 2009 04:00:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n0P403l2044876 for ; Sun, 25 Jan 2009 04:00:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n0P403Ak044875; Sun, 25 Jan 2009 04:00:03 GMT (envelope-from gnats) Resent-Date: Sun, 25 Jan 2009 04:00:03 GMT Resent-Message-Id: <200901250400.n0P403Ak044875@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Mark Foster Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 748AF106566C for ; Sun, 25 Jan 2009 03:56:41 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 62F7B8FC18 for ; Sun, 25 Jan 2009 03:56:41 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n0P3udlm042981 for ; Sun, 25 Jan 2009 03:56:39 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n0P3udFL042980; Sun, 25 Jan 2009 03:56:39 GMT (envelope-from nobody) Message-Id: <200901250356.n0P3udFL042980@www.freebsd.org> Date: Sun, 25 Jan 2009 03:56:39 GMT From: Mark Foster To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: ports/130968: [vuxml] mail/roundcube vulnerability X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Jan 2009 04:00:06 -0000 >Number: 130968 >Category: ports >Synopsis: [vuxml] mail/roundcube vulnerability >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sun Jan 25 04:00:03 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Mark Foster >Release: 7.1 RELEASE >Organization: Credentia >Environment: >Description: >How-To-Repeat: >Fix: roundcube -- RoundCube Webmail Background Attributes Email Message HTML Injection Vulnerabili roundcube 0.2

SecurityFocus reports:

RoundCube Webmail is prone to an HTML-injection vulnerability because the application fails to sufficiently sanitize user-supplied input before using it in dynamically generated content. Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site to steal cookie-based authentication credentials or to control how the site is rendered to the user other attacks are also possible. RoundCube Webmail 0.2-stable is vulnerable other versions may also be affected.

http://www.securityfocus.com/bid/33372 CVE-2008-5734 33372 2009-01-20 2009-01-24 >Release-Note: >Audit-Trail: >Unformatted: