-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1532
                         roundcube security update
                              28 October 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           roundcube
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Modify Arbitrary Files -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-6172  

Original Bulletin: 
   http://www.debian.org/security/2013/dsa-2787

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running roundcube check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2787-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
October 27, 2013                       http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : roundcube
Vulnerability  : design error
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2013-6172
Debian Bug     : 727668

It was discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, does not properly sanitize the _session
parameter in steps/utils/save_pref.inc during saving preferences. The
vulnerability can be exploited to overwrite configuration settings and
subsequently allowing random file access, manipulated SQL queries and
even code execution.

roundcube in the oldstable distribution (squeeze) is not affected by
this problem.

For the stable distribution (wheezy), this problem has been fixed in
version 0.7.2-9+deb7u1.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your roundcube packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSbNQmAAoJEAVMuPMTQ89E6zYP/0tlZhlEgadu7xvTauny/zim
RV2WCJFLmRMCGZYhCiOJ2ND50fAnn62CdO+vnWN3JH5FH0KIngLmtGfrq+EPjLwj
rFPGMPKRDZRag8oV3SeKbsHlrcMHS5H/B9GhILst3+32pbwoBE7aH5+wTMYHshsF
TK0whlv73RZge6njPfzqvdkSoIgCLYx4Mc+pXP/pC+wOaSiD/gMjKBh51DoOwpnB
r7rfs7wmy4Ke1Ljsw35LceX64kCP8YC9d7FUPZc8SxUKEk3eojrhnSzpDUBt+Pvl
/S8nAbCbbrosh464szwXL4w6gcZIDDJgvy3u3aTn+XvRCoK6cr8RrdMbBQibR1Xb
9hCdieOs0pkNbBI4yE6bivztAolHlfAwvsgFPcMv3fM26gAsSOC8SRrzRqQrqqqk
1jfUqJETE+W0FkjmZa4W6JiDm78ZP4DNFQCrITRaealMgo2dh2uKua/4PmaBwjJ/
/lrukur5D6mCcLxFEpRA9TwDYVcvWE3cCVL9WhaMBNRJWiuKuaamOujO7jPtzga8
uJZWGKQNTd4rB6WHN4uN2wqltPH3lOIxvOd+2Uu9P9mDwQkgfrQ0s/hwjB3dpPWO
vNqHSeK2j8RZPDD4reulRFC4vEbI3MCXOUcyc+JqgI9Pa61Y0qrM6PwWyoPTDROr
PGySE+o+FGBjlugiGG51
=CNJm
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUm2vVhLndAQH1ShLAQJZHBAArkst3sgUMHsCBsRDLlsyceS/AFtgawV7
P3iUi+vG9Qe0Xm0ZGYOBH/KLkAvQMVNCvDPlQ9Q4KNREPLFbmmOoBEMA5ojOyq3p
74S87+UX2XkWn/Rc+NOyShWehPd+Pq62fYkoE0FogtHZcvTUTLGijteBrfNjIbPP
bjSViQGf0+Z8TAkigDJ+cq3spo9+9Cl7tv2XkQwCEupoixNtRrlfcJMdVyiPfhR3
/O78FuUdMhAladnKz8BvThltZOGPiEsbbP4VNG2aNNaD79Mg79Ot+UbFJ4cJpXv6
2Y1IlMPQFIwL2EkxBUOcSv7AkeXNDdMQnSre+H68xeYUxKLa0zpdKxwErMCh85nK
MaqORtMAqfC65iIyB04aVPRToTeXAjjZsq7Q/bRC8ZnO2KH57KbOuCk2uDZ/dxMI
ubXVlpdYaXEpZjA0AJDj4yyxiTB9vaZrVh4rsWZOlHbhsAUUgN4TB44g6fDezIr5
wKyzLWJkYn2cH7EMvGEwlR2JDv39stlf5s7QlwEyZkX4NwwJB6RLKjcWKnLL1qBx
Wka00/sH9M1cWo7OS542sLk5CJEjavo+W8/hK0Cl3IhTgYB5d7qnYOqwhnnCYaY0
KjK80xjOWdq+qNb1c6+pkqgD61IHUMJGR/oKZcMtXW1i+MZnWKLmGcPUjBdhHLD9
ajMxk1CoBc8=
=yff0
-----END PGP SIGNATURE-----