[Git][security-tracker-team/security-tracker][master] Update status for CVE-2019-10740/roundcube

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f39b717e by Salvatore Bonaccorso at 2019-05-14T04:30:28Z
Update status for CVE-2019-10740/roundcube

The issue is mostly "irrelevant" in direct installations in Debian, as
the functionality relies on the enigma plugin which depends on the PHP
PEAR module (php-crypt-gpg).

php-crypt-gpg is neither in stretch nor in buster so we can mark the
issue as ignored. Still the issue might be fixed in a later point
release.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3163,8 +3163,8 @@ CVE-2019-10741 (K-9 Mail v5.600 can include the original quoted HTML code of a s
 	NOT-FOR-US: K-9 Mail
 CVE-2019-10740 (In Roundcube Webmail 1.3.4, an attacker in possession of S/MIME or PGP ...)
 	- roundcube <unfixed> (bug #927713)
-	[buster] - roundcube <postponed> (Revisit when fixed upstream)
-	[stretch] - roundcube <postponed> (Revisit when fixed upstream)
+	[buster] - roundcube <ignored> (Relies on php-crypt-gpg, not in buster)
+	[stretch] - roundcube <ignored> (Relies on php-crypt-gpg, not in stretch. Old version in 1.3 doesn't verify signature anyway)
 	NOTE: https://github.com/roundcube/roundcubemail/issues/6638
 CVE-2019-10739
 	RESERVED



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f39b717e5adecc58a8ea68e9cfc09664cec36a58

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f39b717e5adecc58a8ea68e9cfc09664cec36a58
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190514/ea3ffd1f/attachment.html>