29.03.2013 10:41, A.L.E.C wrote:
On 03/29/2013 08:21 AM, Vladislav Bogdanov wrote:
Thanks. That means that versions before 0.4.1 are not affected.
No, that's not what I've said. Most likely 0.4.0 is also vulnerable. Commit you provided is just some git checkout before stable release.
Hm. https://github.com/roundcube/roundcubemail/blob/v0.4.1/program/steps/utils/s... was created by https://github.com/roundcube/roundcubemail/commit/614c642a4ba8b050ecb26d25d3... at Sep 17, 2010.
0.4.1 was released 2010-09-29 (according to downloads) or Oct 06, 2010 (according to git tag), so it includes that commit. 0.4 - was released 2010-08-07, so it doesn't have it.
So I seem to be correct.