[ MDVSA-2010:015 ] roundcubemail

[dude67]

_______________________________________________________________________

Package : roundcubemail
Date : January 19, 2010
Affected: Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in transmission:

A number of dependency probles were discovered and has been corrected
with this release (#56006).

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail
0.2.2 and earlier allows remote attackers to hijack the authentication
of unspecified users for requests that modify user information via
unspecified vectors, a different vulnerability than CVE-2009-4077
(CVE-2009-4076).

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail
0.2.2 and earlier allows remote attackers to hijack the authentication
of unspecified users for requests that send arbitrary emails via
unspecified vectors, a different vulnerability than CVE-2009-4076
(CVE-2009-4077).

The updated packages have been patched to correct these
issues. Additionally roundcubemail has been upgraded to 0.2.2 that
also fixes a number of upstream bugs.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-4076
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-4077
https://qa.mandriva.com/56006
_______________________________________________________________________