Giuseppe, il suo blog » atmailopen http://www.iuculano.it Wed, 08 Sep 2010 10:53:24 +0000 it-it hourly 1 http://wordpress.org/?v=3.0.1 I’m thinking to ask for removal of atmailopen in Debian http://www.iuculano.it/en/linux/im-thinking-to-ask-for-removal-of-atmailopen-in-debian/ http://www.iuculano.it/en/linux/im-thinking-to-ask-for-removal-of-atmailopen-in-debian/#comments Fri, 22 May 2009 12:59:30 +0000 Giuseppe http://www.iuculano.it/?p=67 From December 2008, I maintain the atmailopen Debian package. This is a nice webmail in PHP and Ajax , it aim to provide an elegant Ajax webmail client for existing IMAP mailservers, with less bloat and a focus on an intuitive, simple user interface.

I was very happy when it was accepted in Debian, but I was wrong:

On 19/04/2009 I noticed a Secunia advisory about @Mail (SA34704) ,and the same day I mailed upstream and asked if atmailopen is affected by the same security vulnerability. No answer as of today, 2009-05-22 …

While checking about SA34704, I discovered that atmailopen is using the vulnerable version of html2text, which could lead to code execution attacks, the same of CVE-2008-5619 in roundcube.

On 26/04/2009 I mailed upstream to inform about this issue, but as usual, nothing… no answer as of today, 2009-05-22 …

Is clearly evident, upstream doesn’t take care about security in his atmail open source version, and doesn’t provide security support.

This is not acceptable for a software in Debian, I will request a removal.

P.S. If you aren’t using the debian package, I really suggest you to patch your atmailopen version, or better, switch to another webmail.

UPDATE: atmailopen was removed from Debian

No related posts.

]]> http://www.iuculano.it/en/linux/im-thinking-to-ask-for-removal-of-atmailopen-in-debian/feed/ 1