[Pkg-roundcube-maintainers] Roundcube security release (1.2.7)
carnil at debian.org
Thu Nov 9 06:42:09 GMT 2017
Thanks for preparing the update. Comment below:
On Thu, Nov 09, 2017 at 07:24:34AM +0100, Guilhem Moulin wrote:
> Hi there,
> upstream has just released 1.2.7 , with a fix for CVE-2017-8114:
> File disclosure vulnerability caused by insufficient
> input validation in conjunction with file-based attachment plugins,
> which are used by default.
> I backported the fix to 1.2.4 . Debdiff attached, you can also find
> the source package for 1.2.3+dfsg.1-4+deb8u1 at
>  http://lists.roundcube.net/pipermail/dev/2017-November/024064.html
>  https://github.com/roundcube/roundcubemail/commit/9be2224c779d7abc7b29eea2b83a8a3671c543e0#diff-8b401f96d95c9030ebc34e3a92c65bf4
> diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog
> --- roundcube-1.2.3+dfsg.1/debian/changelog 2017-05-01 23:37:14.000000000 +0200
> +++ roundcube-1.2.3+dfsg.1/debian/changelog 2017-11-09 06:45:05.000000000 +0100
> @@ -1,3 +1,12 @@
> +roundcube (1.2.3+dfsg.1-4+deb8u1) jessie-security; urgency=high
> + * Backport fix for CVE-2017-16651: File disclosure vulnerability caused by
> + insufficient input validation in conjunction with file-based attachment
> + plugins, which are used by default.
> + https://github.com/roundcube/roundcubemail/issues/6026
> + -- Guilhem Moulin <guilhem at debian.org> Thu, 09 Nov 2017 06:45:05 +0100
This needs to be 1.2.3+dfsg.1-4+deb9u1 and stretch-security.
I quickly skimmed over the debdiff, and looks good to me. Assuming you
have tested it, please feel free to upload to security-master with the
Make sure to build with -sa to include the orig.tar.gz since the
upload is new for dak on security master.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 963 bytes
Desc: not available
More information about the Pkg-roundcube-maintainers