<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<h3>

Salvatore Bonaccorso pushed to branch master

at <a href="https://salsa.debian.org/security-tracker-team/security-tracker">Debian Security Tracker / security-tracker</a>

</h3>

<h4>

Commits:

</h4>

<ul>

<li>

<strong><a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fc5c0f476f86ce3ad08e5015d2222ebb4eb9c4a">3fc5c0f4</a></strong>

<div>

<span>by Salvatore Bonaccorso</span>

<i>at 2020-05-06T16:30:30+02:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Mark CVE-2020-1264{0,1}/roundcube as unimporant

no-dsa might be another option. To exploit the issues one would neet to

set $config['im_identify_path'] or $config['im_convert_path'] to a

string containing shell metacharacters.  The config files itself are

created in the Debian package and created with ownership root:www-data

and mode 0640 by default.

So this in order to be exploited, would already need elevated privileges

to write to those files crafted values.

This is the background for the non-issue decision. If a reviewer

disagrees on this reasoning please mark those no-dsa instead.

</pre>

</li>

</ul>

<h4>1 changed file:</h4>

<ul>

<li class="file-stats">

<a href="#4716ef5aa8f2742228ba3b3633215c8b808565e3">

data/CVE/list

</a>

</li>

</ul>

<h4>Changes:</h4>

<li id="4716ef5aa8f2742228ba3b3633215c8b808565e3">

<a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fc5c0f476f86ce3ad08e5015d2222ebb4eb9c4a#4716ef5aa8f2742228ba3b3633215c8b808565e3"><strong>data/CVE/list</strong></a>

<hr>

No preview for this file type

<br>

</li>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

<a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fc5c0f476f86ce3ad08e5015d2222ebb4eb9c4a">View it on GitLab</a>.

<br>

You're receiving this email because of your account on salsa.debian.org.

If you'd like to receive fewer emails, you can

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Commit","url":"https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fc5c0f476f86ce3ad08e5015d2222ebb4eb9c4a"}}</script>

</p>

</div>

</body>

</html>