[Pkg-roundcube-maintainers] Bug#721592: roundcube: CVE-2013-5645

Vincent Bernat bernat at debian.org
Tue Sep 3 07:01:03 UTC 2013

 ❦  3 septembre 2013 08:51 CEST, Salvatore Bonaccorso <carnil at debian.org> :

>> > Please adjust the affected versions in the BTS as needed. At least
>> > 0.9.2 looks affected.
>> Hi Salvatore!
>> Previous versions are likely to be affected too. I will try to backport
>> the patches. For version in Jessie and unstable, I will just upload
>> 0.9.3.
> Thanks for your quick reply! From what I see about the vulnerability,
> I would say this does not warrant a DSA, as the exploitability seems
> to be limited to a user-assisted remote attacker.

The exploit can be triggered by a user using a message as a template for
a new message. This seems far-fetched, so I agree.

> Do you agree on that conclusion? If yes I will mark this in the
> security-tracker appropriately. Could you address in that case the
> updates trough a proposed-update instead?

Identify bad input; recover if possible.
            - The Elements of Programming Style (Kernighan & Plauger)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20130903/569801a2/attachment.sig>

More information about the Pkg-roundcube-maintainers mailing list