[Pkg-roundcube-maintainers] Roundcube security release (1.2.7)
Salvatore Bonaccorso
carnil at debian.org
Thu Nov 9 06:42:09 GMT 2017
Hi
Thanks for preparing the update. Comment below:
On Thu, Nov 09, 2017 at 07:24:34AM +0100, Guilhem Moulin wrote:
> Hi there,
>
> upstream has just released 1.2.7 [0], with a fix for CVE-2017-8114:
>
> File disclosure vulnerability caused by insufficient
> input validation in conjunction with file-based attachment plugins,
> which are used by default.
>
> I backported the fix to 1.2.4 [1]. Debdiff attached, you can also find
> the source package for 1.2.3+dfsg.1-4+deb8u1 at
>
> https://guilhem.org/tmp/roundcube_1.2.3+dfsg.1-4+deb8u1.dsc
>
> Cheers,
> --
> Guilhem.
>
> [0] http://lists.roundcube.net/pipermail/dev/2017-November/024064.html
> [1] https://github.com/roundcube/roundcubemail/commit/9be2224c779d7abc7b29eea2b83a8a3671c543e0#diff-8b401f96d95c9030ebc34e3a92c65bf4
> diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog
> --- roundcube-1.2.3+dfsg.1/debian/changelog 2017-05-01 23:37:14.000000000 +0200
> +++ roundcube-1.2.3+dfsg.1/debian/changelog 2017-11-09 06:45:05.000000000 +0100
> @@ -1,3 +1,12 @@
> +roundcube (1.2.3+dfsg.1-4+deb8u1) jessie-security; urgency=high
> +
> + * Backport fix for CVE-2017-16651: File disclosure vulnerability caused by
> + insufficient input validation in conjunction with file-based attachment
> + plugins, which are used by default.
> + https://github.com/roundcube/roundcubemail/issues/6026
> +
> + -- Guilhem Moulin <guilhem at debian.org> Thu, 09 Nov 2017 06:45:05 +0100
This needs to be 1.2.3+dfsg.1-4+deb9u1 and stretch-security.
I quickly skimmed over the debdiff, and looks good to me. Assuming you
have tested it, please feel free to upload to security-master with the
above changes.
Make sure to build with -sa to include the orig.tar.gz since the
upload is new for dak on security master.
Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20171109/669ec0f5/attachment-0001.sig>
More information about the Pkg-roundcube-maintainers
mailing list