From 6bc9b11d2e33c6cbc8f6ea1fd3b8d370e7facc5b Mon Sep 17 00:00:00 2001 From: Jon Ciesla Date: Feb 01 2010 18:40:48 +0000 Subject: CVE-2010-0464. --- diff --git a/roundcubemail-0.3.1-CVE-2010-0464.patch b/roundcubemail-0.3.1-CVE-2010-0464.patch new file mode 100644 index 0000000..37bb9c0 --- /dev/null +++ b/roundcubemail-0.3.1-CVE-2010-0464.patch @@ -0,0 +1,17 @@ +--- program/include/rcube_html_page.php~ 2009-06-22 11:20:34.000000000 -0500 ++++ program/include/rcube_html_page.php 2010-02-01 12:21:44.000000000 -0600 +@@ -164,7 +164,13 @@ + $__page_header.= ' content="text/html; charset='; + $__page_header.= $this->charset . '" />'."\n"; + } +- ++ // add hint to disable DNS prefetching ++ if (!headers_sent()) { ++ header('X-DNS-Prefetch-Control: off'); ++ } else { ++ $__page_header.= ''."\n"; ++ } ++ + // definition of the code to be placed in the document header and footer + if (is_array($this->script_files['head'])) { + foreach ($this->script_files['head'] as $file) { diff --git a/roundcubemail.spec b/roundcubemail.spec index e43c589..994df0c 100644 --- a/roundcubemail.spec +++ b/roundcubemail.spec @@ -1,14 +1,14 @@ %define roundcubedir %{_datadir}/roundcubemail %global _logdir /var/log Name: roundcubemail -Version: 0.3 +Version: 0.3.1 Release: 2%{?dist} Summary: Round Cube Webmail is a browser-based multilingual IMAP client Group: Applications/System License: GPLv2 URL: http://www.roundcube.net -Source0: roundcubemail-%{version}-stable-dep.tar.gz +Source0: roundcubemail-%{version}-dep.tar.gz Source1: roundcubemail.conf Source2: roundcubemail.logrotate Source4: roundcubemail-README.fedora @@ -19,6 +19,7 @@ Patch0: roundcubemail-0.2-beta-confpath.patch #Patch2: roundcubemail-0.2-beta-CVE-2008-5620.patch #Patch3: roundcubemail-0.2-CVE-2009-0413.patch Patch4: roundcubemail-0.2-stable-pg-mdb2.patch +Patch5: roundcubemail-0.3.1-CVE-2010-0464.patch BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root%(%{__id_u} -n) @@ -46,13 +47,14 @@ requires the MySQL database or the PostgreSQL database. The user interface is fully skinnable using XHTML and CSS 2. %prep -%setup -q -n roundcubemail-0.3-stable-dep +%setup -q -n roundcubemail-%{version}-dep %patch0 -p0 #%patch1 -p0 #%patch2 -p0 #%patch3 -p0 %patch4 -p0 +%patch5 -p0 # fix permissions and remove any .htaccess files find . -type f -print | xargs chmod a-x @@ -144,6 +146,12 @@ exit 0 %config(noreplace) %{_sysconfdir}/logrotate.d/roundcubemail %changelog +* Mon Feb 01 2010 Jon Ciesla = 0.3.1-2 +- Patch to fix CVE-2010-0464, BZ 560143. + +* Mon Nov 30 2009 Jon Ciesla = 0.3.1-1 +- New upstream. + * Thu Oct 22 2009 Jon Ciesla = 0.3-2 - Macro fix, BZ530037. diff --git a/sources b/sources index 8784446..6effb20 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -f574e0c1f22194c752f5ae415a90d6cc roundcubemail-0.3-stable-dep.tar.gz +ad8e3ba04b53e488547f643076722aa5 roundcubemail-0.3.1-dep.tar.gz