[Pkg-roundcube-maintainers] Bug#536498: Please backport roundcube CVE-2008-5619

Benjamin Bannier benjamin.bannier at netronaut.de
Mon Jul 13 12:56:18 UTC 2009

Hash: SHA1

On Mon, 13 Jul 2009 14:27:31 +0200
Gerfried Fuchs <rhonda at deb.at> wrote:

>  ... which, in the case of this bugreport, is done. 0.1.1-9 did fix
> CVE-2008-5619 for etch-backports, so it rather seems to me that
> Benjamin got some things mixed up, unless the claimed patch in that
> upload wasn't complete.

Maybe this isn't really about CVS-2008-5616, but that's hard to say from
my logs. All I saw was POST's to roundcube-0.1.1-10~bpo40+2's admittedly
horrible html2text.php and the same symptoms as reported for
http://trac.roundcube.net/ticket/1485618 (i.e. file uploads and shell
access as www-data).

>  Would be great to get things straightened out. Benjamin, do you claim
> the package in etch-bpo affected by this bug and the fix to be
> incomplete, or what's the deal? I'm especially puzzled by your
> original version you reported it again to be 0.2.2-1 which is by far
> close to anything that's in bacports - or way over the version that
> it was fixed in already. Do you claim by that that the patch got
> removed again, or were you just puzzled?

Debian bugreport is way to fancy for me: I reported a bug in
roundcube-0.1.1-10~bpo40+2, while I already had 0.2.2-1 installed on
that machine. Apparently this bug didn't get retagged in your bugzilla
(?) incarnation.



Version: GnuPG v2.0.11 (GNU/Linux)


More information about the Pkg-roundcube-maintainers mailing list