Debian Security Advisory

DSA-3541-1 roundcube -- security update

Date Reported:
05 Apr 2016
Affected Packages:
roundcube
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2015-8770.
More information:

High-Tech Bridge Security Research Lab discovered that Roundcube, a webmail client, contained a path traversal vulnerability. This flaw could be exploited by an attacker to access sensitive files on the server, or even execute arbitrary code.

For the oldstable distribution (wheezy), this problem has been fixed in version 0.7.2-9+deb7u2.

For the testing (stretch) and unstable (sid) distributions, this problem has been fixed in version 1.1.4+dfsg.1-1.

We recommend that you upgrade your roundcube packages.