RoundCube Webmail upstream has released 0.8.6 and 0.7.3
versions to correct one security flaw:
A local file inclusion flaw was found in the way RoundCube
Webmail, a browser-based multilingual IMAP client, performed
validation of the 'generic_message_footer' value provided via
web user interface in certain circumstances. A remote attacker
could issue a specially-crafted request that, when processed
by RoundCube Webmail could allow an attacker to obtain arbitrary
file on the system, accessible with the privileges of the user
running RoundCube Webmail client.
References:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=928835
[2] http://sourceforge.net/news/?group_id=139281&id=310497
[3] http://lists.roundcube.net/pipermail/dev/2013-March/022328.html
[4] https://bugs.gentoo.org/show_bug.cgi?id=463554
Upstream patches:
[5] http://ow.ly/jtQD0
[6] http://ow.ly/jtQHM
[7] http://ow.ly/jtQK0
[8] http://ow.ly/jtQNd
--
Jan iankko Lieskovsky / Red Hat Security Response Team
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information