[Pkg-roundcube-maintainers] roundcube: CVE-2020-35730: XSS vulnerability via malious HTML or plaintext messages
Salvatore Bonaccorso
carnil at debian.org
Mon Dec 28 06:24:24 GMT 2020
Hi Guilhem,
On Mon, Dec 28, 2020 at 03:16:51AM +0100, Guilhem Moulin wrote:
> Dear security team,
>
> In a recent post roundcube webmail upstream has announced the following
> security fix for #978491:
>
> Cross-site scripting (XSS) via HTML or Plain text messages with
> malicious content (CVE-2020-35730)
> — responsible disclosure from Alex Birnberg
>
> The package in buster is currently following the 1.3 branch and I
> propose to keep that trend; upstream changes are minimal but also
> contain two irrelevant changes, one of which (the jstz version bump) I
> reverted in debian/patches. Debdiff enclosed, as well as the diff in
> patch-applied trees. I tested this but would appreciate if you could
> take care of the DSA :-)
Looks good to me, please upload to security-master for
buster-security, we will take it from there for DSA.
Regards,
Salvatore
More information about the Pkg-roundcube-maintainers
mailing list