[Pkg-roundcube-maintainers] Bug#895184: roundcube: CVE-2018-9846: check_request() bypass in archive plugin
carnil at debian.org
Sat Apr 21 07:23:55 BST 2018
On Sat, Apr 21, 2018 at 02:13:54AM +0200, Guilhem Moulin wrote:
> On Fri, 20 Apr 2018 at 05:18:36 +0200, Salvatore Bonaccorso wrote:
> > Thanks for following up for stretch. First a quick comment. Please
> > always CC team at security.debian.org on such questions for if an update
> > is wanted for DSA. This alows team members to better share the load
> > for review, release, etc ... (and it's recorded futhermore on the team
> > alias).
> Oops, I assumed that the Security Team received all bugs tagged
> ‘security’ so I omitted the CC on purpose… my bad.
Unfortunately, or fortunately not (yet), getting all comunication with
Tag security set will overwhelm our mailboxes. But as an improvement
step we are planning to get initial submissions with security tag set.
Until now that happens only if someone uses reportbug to fill the
issue, adding a X-Debbugs-CC, but not if one fills wihout reportbug a
bug. Cf. #895661. Sorry, got now longer as I want. My only intention
was to quickly state that for future cases, so we might distributed
workload within the team better.
> > I think we should release this through stretch-security. The debdiff
> > per se looks already good. Were you able to test the update in
> > production under stretch?
> Yes, I did test the update.
> > There is though one no-dsa issue,
> > https://security-tracker.debian.org/tracker/CVE-2018-1000071 which
> > would be good to be included. Could you backport that fix as well and
> > send a new debdiff for quick review+ack for upload?
> Sure, new debdiff attached.
Looks good to me, please do upload to security-master.
More information about the Pkg-roundcube-maintainers