[Pkg-roundcube-maintainers] Bug#813843: wheezy backports cruelly out of date

Antoine Beaupré anarcat at debian.org
Fri Feb 5 21:37:29 UTC 2016

Source: roundcube
Version: 0.9.5-1~bpo70+1
Severity: normal
Tags: security

The wheezy version of roundcube is seriously out of date. It is
running a version that has no correspondance to the jessie version (it
was dropped from jessie prior to release) or stretch (it was not
updated since then).

The last upload was done by `Vincent Bernat <bernat at debian.org>`, one
of the current uploaders.

There are two ways out of this:

 * remove roundcube from wheezy-backports
 * update roundcube in wheezy-backports-sloppy

It may be necessary to actually do both because normally, you can't
have packages into $SUITE-backports that are not in $SUITE+1, hence
the -sloppy.

I stumbled upon this while doing secuirty triage for recent Roundcube
security issues. Normally, backports are not part of that triage, but
they are often covered eventually as the backports are updated from
the corresponding source. I am worried that the 0.9.5 version in
wheezy-backports is vulnerable to a bunch of security issues...


Just looking at the above, roundcube in wheezy-backports seems
vulnerable to http://www.cvedetails.com/cve/CVE-2013-6172/

steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x
before 0.9.5 allows remote attackers to modify configuration settings
via the _session parameter, which can be leveraged to read arbitrary
files, conduct SQL injection attacks, and execute arbitrary code.

-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (500, 'oldstable'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.2.0-0.bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

More information about the Pkg-roundcube-maintainers mailing list