> CVE 2008-5619 states "html2text.php in RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch. " These versions have never entered Ubuntu.
I think, this is an incomplete description in the CVE. It must mean *up to* version 0.2-1.alpha and 0.2-3.beta. The vulnerable code in program/lib/html2text.inc is present in the hardy package as well, and in the German community forum there was a user, whose server got compromised via this attack vector, and who was using roundcube version 0.1-rc1. http://forum.ubuntuusers.de/topic/was-ist-wssh/ (German) -- CVE-2008-5620- Roundcube vulnerable and actively exploited https://bugs.launchpad.net/bugs/316550 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
