[Bug 316550] Re: CVE-2008-5620- Roundcube vulnerable and actively exploited
otzenpunk
reisswolf_nospam at otzenpunkrock.de
Fri Feb 20 03:27:29 UTC 2009
> CVE 2008-5619 states "html2text.php in RoundCube Webmail
(roundcubemail) 0.2-1.alpha and 0.2-3.beta allows remote attackers to
execute arbitrary code via crafted input that is processed by the
preg_replace function with the eval switch. " These versions have never
entered Ubuntu.
I think, this is an incomplete description in the CVE. It must mean *up
to* version 0.2-1.alpha and 0.2-3.beta.
The vulnerable code in program/lib/html2text.inc is present in the hardy
package as well, and in the German community forum there was a user,
whose server got compromised via this attack vector, and who was using
roundcube version 0.1-rc1.
http://forum.ubuntuusers.de/topic/was-ist-wssh/ (German)
--
CVE-2008-5620- Roundcube vulnerable and actively exploited
https://bugs.launchpad.net/bugs/316550
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list