[RCD] Security update for 0.2-beta

Thomas Bruederli roundcube at gmail.com
Tue Dec 16 19:10:18 CET 2008

Dear subscribers

There were two security issues reported which are now fixed. The first
was as possible code injection using the html2text conversion script
[1]. The other exploit used the unchecked size parameters of the quota
image to let PHP create huge images eating up all the server memory.
Thanks to Stephan for reporting this.

The two vulnerable scripts were updated in the current 0.2-beta
package and for existing RoundCube installations we recommend to
download the update [2] and to replace all the files with the new
versions found in the archive.


[1] http://trac.roundcube.net/ticket/1485618
[2] http://downloads.sourceforge.net/roundcubemail/roundcubemail-0.2-beta-patch.tar.gz
List info: http://lists.roundcube.net/dev/

More information about the Dev mailing list