2009-01-12 22:06:40 |
otzenpunk |
bug |
|
|
added bug |
2009-01-13 13:25:06 |
Marc Deslauriers |
title |
Roundcube vulnerable and actively exploited |
CVE-2008-5619 - Roundcube vulnerable and actively exploited |
|
2009-01-13 13:25:38 |
Marc Deslauriers |
roundcube: status |
New |
Confirmed |
|
2009-01-13 13:25:38 |
Marc Deslauriers |
roundcube: statusexplanation |
|
|
|
2009-01-13 13:39:32 |
Marc Deslauriers |
who_made_private |
reisswolf-nospam |
|
|
2009-01-13 20:15:19 |
otzenpunk |
bug |
|
|
assigned to roundcube (Debian) |
2009-02-19 17:17:54 |
Andrew Starr-Bochicchio |
roundcube: status |
Confirmed |
Fix Released |
|
2009-02-19 17:17:54 |
Andrew Starr-Bochicchio |
roundcube: importance |
Undecided |
High |
|
2009-02-19 17:17:54 |
Andrew Starr-Bochicchio |
roundcube: statusexplanation |
|
A few things, CVE 2008-5619 states "html2text.php in RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch. " These versions have never entered Ubuntu.
I think you mean, CVE-2008-5620:
"RoundCube Webmail (roundcubemail) before 0.2-beta allows remote attackers to cause a denial of service (memory consumption) via crafted size parameters that are used to create a large quota image. "
This is already been fixed in Jaunty (by way of Debian):
roundcube (0.1.1-10) unstable; urgency=high
* Fix a vulnerability in quota image generation. This fixes
CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596.
* Add description to all patches.
* Add missing ${misc:Depends} to debian/control.
* Add missing dependency on php5-gd, used for quota bar.
Also, a sync to version 0.2~stable-1 has been approved in Bug #331220
All that said, CVE-2008-5620 does effect previous Ubuntu releases. Thanks for taking the time to point this out.
Opening release specific tasks, so that the fix can be backported. Most importantly to the LTS release. |
|
2009-02-19 17:21:45 |
Andrew Starr-Bochicchio |
description |
Binary package hint: roundcube
Roundcube 0.1 - as shipped in the universe section of every current Ubuntu version - is vulnerable to remote code execution. This is currently exploited widely. See
http://www.milw0rm.com/exploits/7553
http://www.directadmin.com/forum/showthread.php?p=147344
http://directadmin.com/forum/showthread.php?p=147661
http://www.webhostingtalk.com/showthread.php?t=748555
http://forum.ubuntuusers.de/topic/was-ist-wssh/ |
Binary package hint: roundcube
Roundcube 0.1 - as shipped in the universe section of every Ubuntu version before Jaunty - is vulnerable to a denial of service attack. This is currently exploited widely. See
http://www.milw0rm.com/exploits/7553
http://www.directadmin.com/forum/showthread.php?p=147344
http://directadmin.com/forum/showthread.php?p=147661
http://www.webhostingtalk.com/showthread.php?t=748555
http://forum.ubuntuusers.de/topic/was-ist-wssh/ |
|
2009-02-19 17:21:45 |
Andrew Starr-Bochicchio |
title |
CVE-2008-5619 - Roundcube vulnerable and actively exploited |
CVE-2008-5620- Roundcube vulnerable and actively exploited |
|
2009-02-19 17:25:14 |
Andrew Starr-Bochicchio |
bug |
|
|
added subscriber MOTU SWAT |
2009-02-19 17:49:35 |
Andrew Starr-Bochicchio |
bug |
|
|
added attachment 'cve-2008-5620.patch' (cve-2008-5620.patch) |
2009-02-19 18:24:01 |
Andrew Starr-Bochicchio |
roundcube: statusexplanation |
|
|
|
2009-02-19 19:06:34 |
Andrew Starr-Bochicchio |
bug |
|
|
added attachment 'hardy-fix-cve-2008-5620.debdiff' (hardy-fix-cve-2008-5620.debdiff) |
2009-02-19 19:06:59 |
Andrew Starr-Bochicchio |
bug |
|
|
added attachment 'intrepid-fix-cve-2008-5620.debdiff' (intrepid-fix-cve-2008-5620.debdiff) |
2009-02-19 20:02:24 |
Jamie Strandboge |
roundcube: status |
New |
In Progress |
|
2009-02-19 20:02:27 |
Jamie Strandboge |
roundcube: status |
New |
In Progress |
|
2009-02-20 05:11:58 |
Andrew Starr-Bochicchio |
bug |
|
|
added attachment 'hardy-fix.debdiff' (hardy-fix.debdiff) |
2009-02-20 05:12:31 |
Andrew Starr-Bochicchio |
bug |
|
|
added attachment 'intrepid-fix.debdiff' (intrepid-fix.debdiff) |
2009-02-23 19:22:23 |
Andrew Starr-Bochicchio |
title |
CVE-2008-5620- Roundcube vulnerable and actively exploited |
[CVE-2008-5619] [CVE-2008-5620] - Roundcube vulnerable and actively exploited |
|
2009-02-23 19:22:42 |
Andrew Starr-Bochicchio |
roundcube: status |
In Progress |
Confirmed |
|
2009-02-23 19:22:42 |
Andrew Starr-Bochicchio |
roundcube: importance |
Undecided |
High |
|
2009-02-23 19:22:42 |
Andrew Starr-Bochicchio |
roundcube: statusexplanation |
|
|
|
2009-02-23 19:23:00 |
Andrew Starr-Bochicchio |
roundcube: status |
In Progress |
Confirmed |
|
2009-02-23 19:23:00 |
Andrew Starr-Bochicchio |
roundcube: importance |
Undecided |
High |
|
2009-02-23 19:23:00 |
Andrew Starr-Bochicchio |
roundcube: statusexplanation |
|
|
|
2009-02-23 21:18:14 |
Andrew Starr-Bochicchio |
roundcube: assignee |
|
andrewsomething |
|
2009-02-23 21:18:26 |
Andrew Starr-Bochicchio |
roundcube: assignee |
|
andrewsomething |
|
2009-02-24 03:35:18 |
Andrew Starr-Bochicchio |
bug |
|
|
added attachment 'hardy-fix.3' (hardy-fix.3) |
2009-02-24 03:35:41 |
Andrew Starr-Bochicchio |
bug |
|
|
added attachment 'intrepid-fix.3' (intrepid-fix.3) |
2009-02-24 03:40:50 |
Andrew Starr-Bochicchio |
roundcube: status |
Confirmed |
In Progress |
|
2009-02-24 03:40:50 |
Andrew Starr-Bochicchio |
roundcube: assignee |
andrewsomething |
|
|
2009-02-24 03:41:08 |
Andrew Starr-Bochicchio |
roundcube: status |
Confirmed |
In Progress |
|
2009-02-24 03:41:08 |
Andrew Starr-Bochicchio |
roundcube: assignee |
andrewsomething |
|
|
2009-02-24 21:33:25 |
Jamie Strandboge |
roundcube: status |
In Progress |
Fix Committed |
|
2009-02-24 21:34:41 |
Jamie Strandboge |
roundcube: status |
In Progress |
Fix Committed |
|
2009-02-24 21:34:41 |
Jamie Strandboge |
roundcube: statusexplanation |
|
Thanks Andrew for the updated patches! I've uploaded them to the security queue and can publish them once I get feedback on the testing for both Hardy and Intrepid. |
|
2009-02-26 15:10:50 |
Launchpad Janitor |
roundcube: status |
Fix Committed |
Fix Released |
|
2009-02-26 15:11:08 |
Launchpad Janitor |
roundcube: status |
Fix Committed |
Fix Released |
|
2009-07-18 02:10:29 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/intrepid-updates/roundcube |
|
2009-07-18 02:10:30 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/hardy/roundcube/hardy-security |
|
2011-08-17 17:51:38 |
Bug Watch Updater |
roundcube (Debian): status |
Unknown |
Fix Released |
|