[Pkg-roundcube-maintainers] [thomas at roundcube.net: [RCD] Security Updates 1.1.4 and 1.0.8 released]
Guilhem Moulin
guilhem at guilhem.org
Sun Dec 27 20:08:26 UTC 2015
Hi there,
We should definitely upload 1.1.4 to unstable (and later to
jessie-backports). However with the current debian/watch file, uscan(1)
downloads 1.2-beta instead. I wonder if that's intended, or if Debian
should stick to the stable branch on sid as well. (For the backports I
guess the stable branch is be more appropriate anyway.)
Cheers,
--
Guilhem.
----- Forwarded message from Thomas Bruederli <thomas at roundcube.net> -----
Date: Sat, 26 Dec 2015 14:37:07 +0100
From: Thomas Bruederli <thomas at roundcube.net>
Subject: [RCD] Security Updates 1.1.4 and 1.0.8 released
To: Roundcube Announce List <announce at lists.roundcube.net>
Cc: Roundcube Users List <users at lists.roundcube.net>, Roundcube Dev List <dev at lists.roundcube.net>
Dear Roundcube users
We just published updates to both stable versions 1.0 and 1.1
delivering important bug fixes one of which seals a potential path
traversal vulnerability [1] recently reported by High-Tech Bridge
Security Research Lab. Although the vulnerability is not fully
disclosed yet, the attack scenario requires an active Roundcube
account as well as write privileges on the same host Roundcube is
served from (without open_basedir protection).
A second security improvement adds some measures against brute-force attacks.
See the full changelog here:
http://trac.roundcube.net/wiki/Changelog#RELEASE1.1.4
Both versions are considered stable and we recommend to update all
productive installations of Roundcube with either of these versions.
Download them from https://roundcube.net/download
If you prefer to patch your installation for the path traversal
vulnerability only, we also published patches on our download mirrors
for versions 1.0 [2] and 1.1 [3].
As usual, don't forget to backup your data before updating!
Thanks for all your support and happy new year!
Thomas
[1] https://www.htbridge.com/advisory/HTB23283
[2] https://sourceforge.net/projects/roundcubemail/files/roundcubemail/1.0.8/
[3] https://sourceforge.net/projects/roundcubemail/files/roundcubemail/1.1.4/
_______________________________________________
Roundcube Development discussion mailing list
dev at lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/dev
----- End forwarded message -----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20151227/576bce60/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list