-roundcube (0.3.1-3) UNRELEASED; urgency=low
+roundcube (0.3.1-3) UNRELEASED; urgency=high
* RFC 5321, section 4.5.3.1, asks to not impose any limits on length if
possible. We respect this by dropping limitation of the local-part of
an email address. Closes: #568360, #568537.
* Suggests php-auth-sasl to enable use of SASL mechanisms for mail
servers. Closes: #567550.
+ * Disable DNS prefetching to avoid information leakage through links
+ embedded in messages. This fixes CVE-2010-0464. Closes: #569660.
-- Vincent Bernat <bernat@debian.org> Fri, 05 Feb 2010 19:50:51 +0100
--- /dev/null
+Disable DNS prefetching to solve CVE-2010-0464.
+
+Index: program/include/rcube_html_page.php
+===================================================================
+--- rcube/program/include/rcube_html_page.php (revision 3214)
++++ rcube/program/include/rcube_html_page.php (working copy)
+@@ -165,6 +165,13 @@
+ $__page_header.= $this->charset . '" />'."\n";
+ }
+
++ // add hint to disable DNS prefetching
++ if (!headers_sent()) {
++ header('X-DNS-Prefetch-Control: off');
++ } else {
++ $__page_header.= '<meta http-equiv="x-dns-prefetch-control" content="off" />'."\n";
++ }
++
+ // definition of the code to be placed in the document header and footer
+ if (is_array($this->script_files['head'])) {
+ foreach ($this->script_files['head'] as $file) {
projects / roundcube.git / commitdiff