[Pkg-roundcube-maintainers] Bug#895184: Bug#895184: roundcube: CVE-2018-9846: check_request() bypass in archive plugin
Guilhem Moulin
guilhem at debian.org
Mon Apr 9 17:02:31 BST 2018
On Mon, 09 Apr 2018 at 12:25:20 +0200, Guilhem Moulin wrote:
> Thanks for the poke! Upstream fixed this earlier today:
>
> https://github.com/roundcube/roundcubemail/commit/e3dd5b66d236867572e68fcb80281e9268a0cfb0
My bad, it's only fixed in master and 1.3. Since 1.2 is still supported
and e3dd5b6 doesn't trivially apply there, IMHO it's best to wait for an
official upstream fix.
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20180409/28be84bf/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list