Holger Levsen uploaded a new package for roundcube which fixed the
following security problems:
CVE-2010-0464
Roundcube 0.3.1 and earlier does not request that the web browser avoid
DNS prefetching of domain names contained in e-mail messages, which makes
it easier for remote attackers to determine the network location of the
webmail user by logging DNS requests.
For the lenny-backports distribution (lenny), these problems have been fixed
in version 0.3.1-3~bpo50+1.
If you don't use pinning (see [1]) you have to update roundcube
manually via "apt-get -t lenny-backports install roundcube".
[1] <http://backports.org/dokuwiki/doku.php?id=instructions>
We recommend to pin the backports repository to 200 so that new versions
of installed backports will be installed automatically:
Package: *
Pin: release a=lenny-backports
Pin-Priority: 200