From nobody@FreeBSD.org  Sun Jan 25 03:56:41 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 748AF106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 Jan 2009 03:56:41 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 62F7B8FC18
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 Jan 2009 03:56:41 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n0P3udlm042981
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 Jan 2009 03:56:39 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n0P3udFL042980;
	Sun, 25 Jan 2009 03:56:39 GMT
	(envelope-from nobody)
Message-Id: <200901250356.n0P3udFL042980@www.freebsd.org>
Date: Sun, 25 Jan 2009 03:56:39 GMT
From: Mark Foster <mark@foster.cc>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [vuxml] mail/roundcube vulnerability
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         130968
>Category:       ports
>Synopsis:       [vuxml] mail/roundcube vulnerability
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    miwi
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 25 04:00:03 UTC 2009
>Closed-Date:    Mon Mar 16 18:49:36 UTC 2009
>Last-Modified:  Mon Mar 16 18:50:01 UTC 2009
>Originator:     Mark Foster
>Release:        7.1 RELEASE
>Organization:
Credentia
>Environment:
>Description:

>How-To-Repeat:

>Fix:
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
   <vuln vid="a0683fa8-e0c5-4d6d-913a-8850f8ed9583">
     <topic>roundcube -- RoundCube Webmail Background Attributes Email Message HTML Injection Vulnerabili</topic>
     <affects>
       <package>
         <name>roundcube</name>
         <range><le>0.2</le></range>
       </package>
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
         <p>SecurityFocus reports:</p>
         <blockquote cite="http://www.securityfocus.com/bid/33372">
           <p>RoundCube Webmail is prone to an HTML-injection vulnerability because the application fails to sufficiently sanitize user-supplied input before using it in dynamically generated content.

Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site to steal cookie-based authentication credentials or to control how the site is rendered to the user other attacks are also possible.

RoundCube Webmail 0.2-stable is vulnerable other versions may also be affected.
</p>
         </blockquote>
       </body>
     </description>
     <references>
      <url>http://www.securityfocus.com/bid/33372</url>
      <cvename>CVE-2008-5734</cvename>
      <bid>33372</bid>
     </references>
     <dates>
       <discovery>2009-01-20</discovery>
       <entry>2009-01-24</entry>
     </dates>
   </vuln>


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->ale 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Sun Jan 25 04:00:29 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=130968 
State-Changed-From-To: open->suspended 
State-Changed-By: ale 
State-Changed-When: Wed Mar 11 14:40:26 UTC 2009 
State-Changed-Why:  
Fixed. vuxml needs to be updated. 


Responsible-Changed-From-To: ale->miwi 
Responsible-Changed-By: ale 
Responsible-Changed-When: Wed Mar 11 14:40:26 UTC 2009 
Responsible-Changed-Why:  
Fixed. vuxml needs to be updated. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=130968 
State-Changed-From-To: suspended->closed 
State-Changed-By: miwi 
State-Changed-When: Mon Mar 16 18:49:35 UTC 2009 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=130968 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/130968: commit references a PR
Date: Mon, 16 Mar 2009 18:49:43 +0000 (UTC)

 miwi        2009-03-16 18:49:33 UTC
 
   FreeBSD ports repository
 
   Modified files:
     security/vuxml       vuln.xml 
   Log:
   - Document roundcube -- webmail script insertion and php code injection
   
   PR:             based on 130968
   
   Revision  Changes    Path
   1.1884    +42 -1     ports/security/vuxml/vuln.xml
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
