[RCD] Security updates 0.8.6 and 0.7.3 for save-pref vulnerability

Vladislav Bogdanov bubble at hoster-ok.com
Fri Mar 29 08:58:52 CET 2013


29.03.2013 10:41, A.L.E.C wrote:
> On 03/29/2013 08:21 AM, Vladislav Bogdanov wrote:
> 
>> Thanks.
>> That means that versions before 0.4.1 are not affected.
> 
> No, that's not what I've said. Most likely 0.4.0 is also vulnerable.
> Commit you provided is just some git checkout before stable release.
> 

Hm.
https://github.com/roundcube/roundcubemail/blob/v0.4.1/program/steps/utils/save_pref.inc
was created by
https://github.com/roundcube/roundcubemail/commit/614c642a4ba8b050ecb26d25d349077f6192aa8d
at Sep 17, 2010.

0.4.1 was released 2010-09-29 (according to downloads) or Oct 06, 2010
(according to git tag), so it includes that commit.
0.4 - was released 2010-08-07, so it doesn't have it.

So I seem to be correct.



More information about the dev mailing list