[Pkg-roundcube-maintainers] Bug#847287: Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing
Guilhem Moulin
guilhem at guilhem.org
Wed Dec 7 10:27:42 UTC 2016
On Wed, 07 Dec 2016 at 07:46:06 +0100, Vincent Bernat wrote:
> ❦ 7 décembre 2016 00:30 +0100, Guilhem Moulin <guilhem at guilhem.org> :
>
>>> Version: 1.1.4+dfsg.1-1~bpo8+1
>>> […]
>>> So probably it is important to update to upstream version 1.2.3
>>
>> Unfortunately 1.2.x has many dependencies that aren't in
>> jessie-backports yet. I personally don't have the time nor energy to
>> maintain said dependencies, so we asked backports folks for an exception
>> to stick to 1.1.x for the bpo version, exception which was rejected.
>> I'm afraid the remaining alternative is to take remove the package from
>> jessie-backports :-(
>
> Since the problem is quite serious, could you push the fix in bpo8+2
> nonetheless? Then wait a bit before asking for removal from backports to
> let actual users get an updated version. It seems far better than just
> leaving some people with vulnerable versions on their systems.
Just tagged and pushed ‘debian/1.1.5+dfsg.1-1_bpo8+2’. Note that I
moved jessie-backports's HEAD to its parent first as is was on
debian/1.1.6+dfsg.1-1_bpo8+1 which didn't make it to bpo. Running
git branch jessie-backports debian/1.1.5+dfsg.1-1_bpo8+1
before pull should fix this. Sorry for the inconvenience.
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20161207/d54ae548/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list