29.03.2013 10:41, A.L.E.C wrote: > On 03/29/2013 08:21 AM, Vladislav Bogdanov wrote: > >> Thanks. >> That means that versions before 0.4.1 are not affected. > > No, that's not what I've said. Most likely 0.4.0 is also vulnerable. > Commit you provided is just some git checkout before stable release. >
Hm. https://github.com/roundcube/roundcubemail/blob/v0.4.1/program/steps/utils/save_pref.inc was created by https://github.com/roundcube/roundcubemail/commit/614c642a4ba8b050ecb26d25d349077f6192aa8d at Sep 17, 2010. 0.4.1 was released 2010-09-29 (according to downloads) or Oct 06, 2010 (according to git tag), so it includes that commit. 0.4 - was released 2010-08-07, so it doesn't have it. So I seem to be correct. _______________________________________________ Roundcube Development discussion mailing list dev@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/dev
