[Pkg-roundcube-maintainers] Bug#847287: Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing
Vincent Bernat
bernat at debian.org
Wed Dec 7 06:46:06 UTC 2016
❦ 7 décembre 2016 00:30 +0100, Guilhem Moulin <guilhem at guilhem.org> :
>> Version: 1.1.4+dfsg.1-1~bpo8+1
>> […]
>> So probably it is important to update to upstream version 1.2.3
>
> Unfortunately 1.2.x has many dependencies that aren't in
> jessie-backports yet. I personally don't have the time nor energy to
> maintain said dependencies, so we asked backports folks for an exception
> to stick to 1.1.x for the bpo version, exception which was rejected.
> I'm afraid the remaining alternative is to take remove the package from
> jessie-backports :-(
Since the problem is quite serious, could you push the fix in bpo8+2
nonetheless? Then wait a bit before asking for removal from backports to
let actual users get an updated version. It seems far better than just
leaving some people with vulnerable versions on their systems.
--
"Not Hercules could have knock'd out his brains, for he had none."
-- Shakespeare
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20161207/7fd6433d/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list