Security Information / 2016 / Security Information -- DSA-3541-1 roundcube

Debian Security Advisory

DSA-3541-1 roundcube -- security update

Date Reported:

05 Apr 2016

Affected Packages:

roundcube

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-8770.

More information:

High-Tech Bridge Security Research Lab discovered that Roundcube, a webmail client, contained a path traversal vulnerability. This flaw could be exploited by an attacker to access sensitive files on the server, or even execute arbitrary code.

For the oldstable distribution (wheezy), this problem has been fixed in version 0.7.2-9+deb7u2.

For the testing (stretch) and unstable (sid) distributions, this problem has been fixed in version 1.1.4+dfsg.1-1.

We recommend that you upgrade your roundcube packages.