[Pkg-roundcube-maintainers] Bug#847287: Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

[Guilhem Moulin]

On Wed, 07 Dec 2016 at 11:55:50 +0100, Vincent Bernat wrote:
> ❦  7 décembre 2016 11:27 +0100, Guilhem Moulin <guilhem at guilhem.org> :
> 
>>>> Unfortunately 1.2.x has many dependencies that aren't in
>>>> jessie-backports yet.  I personally don't have the time nor energy to
>>>> maintain said dependencies, so we asked backports folks for an exception
>>>> to stick to 1.1.x for the bpo version, exception which was rejected.
>>>> I'm afraid the remaining alternative is to take remove the package from
>>>> jessie-backports :-(
>>> 
>>> Since the problem is quite serious, could you push the fix in bpo8+2
>>> nonetheless? Then wait a bit before asking for removal from backports to
>>> let actual users get an updated version. It seems far better than just
>>> leaving some people with vulnerable versions on their systems.
>>
>> Just tagged and pushed ‘debian/1.1.5+dfsg.1-1_bpo8+2’.  Note that I
>> moved jessie-backports's HEAD to its parent first as is was on
>> debian/1.1.6+dfsg.1-1_bpo8+1 which didn't make it to bpo.  Running
>>
>>    git branch jessie-backports debian/1.1.5+dfsg.1-1_bpo8+1
>>
>> before pull should fix this.  Sorry for the inconvenience.
> 
> Is the tag for debian/1.1.5+dfsg.1-1_bpo8+1? The diff for it is pretty
> big.

1.1.5+dfsg.1-1_bpo8+1 is the current version from jessie-backports (since
April 29).  The diff between 1.1.5+dfsg.1-1_bpo8+1 and 1.1.5+dfsg.1-1_bpo8+2
is merely the upstream fix

    https://anonscm.debian.org/cgit/pkg-roundcube/roundcube.git/diff/?id=debian/1.1.5%2bdfsg.1-1_bpo8%2b2&id2=debian/1.1.5%2bdfsg.1-1_bpo8%2b1

-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20161207/9ae1317d/attachment.sig>