Site Navigation:
security roundcubemail-0.8.5-1.el6 security update
Status:stable
Release: Fedora EPEL 6
Update ID: FEDORA-EPEL-2013-0298
Builds: roundcubemail-0.8.5-1.el6 (logs)
Pushed: True
Date Submitted: 2013-02-08 16:08:59
Date Released: 2013-02-09 01:07:31
Submitter: limb
Karma: 1
Details

A cross-site scripting (XSS) flaws were round in the way Round Cube Webmail, a browser-based multilingual IMAP client, performed sanitization of 'data' and 'vbscript' URLs. A remote attacker could provide a specially-crafted URL that, when opened would lead to arbitrary JavaScript, VisualBasic script or HTML code execution in the context of Round Cube Webmail's user session.

Upstream ticket: [1] http://trac.roundcube.net/ticket/1488850

Further details: [2] http://trac.roundcube.net/attachment/ticket/1488850/RoundCube2XSS.pdf

Upstream patch: [3] https://github.com/roundcube/roundcubemail/commit/74cd0a9b62f11bc07c5a1d3ba0098b54883eb0ba

References: [4] http://sourceforge.net/news/?group_id=139281&id=310213 [5] http://www.openwall.com/lists/oss-security/2013/02/07/11 [6] http://www.openwall.com/lists/oss-security/2013/02/08/1

Bugs Fixed
909304 - CVE-2012-6121: roundcubemail: Cross-site scripting (XSS) in vbscript: and data:text URL handling [fedora-all]
909306 - CVE-2012-6121: roundcubemail: Cross-site scripting (XSS) in vbscript: and data:text URL handling [epel-6]
Feedback
bodhi - 2013-02-08 16:09:20
This update has been submitted for testing by limb.
bodhi - 2013-02-09 00:08:07
This update is currently being pushed to the Fedora EPEL 6 testing updates repository.
bodhi - 2013-02-09 01:44:12
This update has been pushed to testing
orion - 2013-02-20 23:50:09
Working here
bodhi - 2013-02-23 10:06:32
This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes
bodhi - 2013-02-25 00:00:30
This update has been submitted for stable by limb.
bodhi - 2013-02-25 15:59:17
This update is currently being pushed to the Fedora EPEL 6 stable updates repository.
bodhi - 2013-02-25 18:34:21
This update has been pushed to stable

Add a comment

Tip: Login to impact how quickly this update gets pushed or unpushed.
obfuscated letters