[Pkg-roundcube-maintainers] Bug#536498: Please backport roundcube CVE-2008-5619

[Benjamin Bannier]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 13 Jul 2009 14:27:31 +0200
Gerfried Fuchs <rhonda at deb.at> wrote:

>  ... which, in the case of this bugreport, is done. 0.1.1-9 did fix
> CVE-2008-5619 for etch-backports, so it rather seems to me that
> Benjamin got some things mixed up, unless the claimed patch in that
> upload wasn't complete.

Maybe this isn't really about CVS-2008-5616, but that's hard to say from
my logs. All I saw was POST's to roundcube-0.1.1-10~bpo40+2's admittedly
horrible html2text.php and the same symptoms as reported for
http://trac.roundcube.net/ticket/1485618 (i.e. file uploads and shell
access as www-data).

>  Would be great to get things straightened out. Benjamin, do you claim
> the package in etch-bpo affected by this bug and the fix to be
> incomplete, or what's the deal? I'm especially puzzled by your
> original version you reported it again to be 0.2.2-1 which is by far
> close to anything that's in bacports - or way over the version that
> it was fixed in already. Do you claim by that that the patch got
> removed again, or were you just puzzled?
> 

Debian bugreport is way to fancy for me: I reported a bug in
roundcube-0.1.1-10~bpo40+2, while I already had 0.2.2-1 installed on
that machine. Apparently this bug didn't get retagged in your bugzilla
(?) incarnation.

Thanks,

Benjamin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkpbLvYACgkQVj4CPF3kbQzxggCfd9Mq1ebrFKGcQEpnwNPrX4os
gt4AnAo/mt3KGgD4RSCkE34vIDpJKTD9
=5j4W
-----END PGP SIGNATURE-----