[Pkg-roundcube-maintainers] Bug#895184: roundcube: CVE-2018-9846: check_request() bypass in archive plugin

Guilhem Moulin guilhem at debian.org
Sat Apr 21 12:03:04 BST 2018


On Sat, 21 Apr 2018 at 08:23:55 +0200, Salvatore Bonaccorso wrote:
> On Sat, Apr 21, 2018 at 02:13:54AM +0200, Guilhem Moulin wrote:
>> On Fri, 20 Apr 2018 at 05:18:36 +0200, Salvatore Bonaccorso wrote:
>>> Thanks for following up for stretch. First a quick comment. Please
>>> always CC team at security.debian.org on such questions for if an update
>>> is wanted for DSA. This alows team members to better share the load
>>> for review, release, etc ... (and it's recorded futhermore on the team
>>> alias).
>> Oops, I assumed that the Security Team received all bugs tagged
>> ‘security’ so I omitted the CC on purpose… my bad.
> Unfortunately, or fortunately not (yet), getting all comunication with
> Tag security set will overwhelm our mailboxes. But as an improvement
> step we are planning to get initial submissions with security tag set.
> Until now that happens only if someone uses reportbug to fill the
> issue, adding a X-Debbugs-CC, but not if one fills wihout reportbug a
> bug. Cf. #895661. Sorry, got now longer as I want. My only intention
> was to quickly state that for future cases, so we might distributed
> workload within the team better.

I see, thanks for the info; I'll try to remember that next time :-)

>>> There is though one no-dsa issue,
>>> https://security-tracker.debian.org/tracker/CVE-2018-1000071 which
>>> would be good to be included. Could you backport that fix as well and
>>> send a new debdiff for quick review+ack for upload?
>> Sure, new debdiff attached.
> Looks good to me, please do upload to security-master.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20180421/af896dc6/attachment.sig>

More information about the Pkg-roundcube-maintainers mailing list