[Pkg-roundcube-maintainers] roundcube: CVE-2020-15562: XSS vulnerability via HTML messages with malicious svg/namespace

[Sébastien Delafond]

On 07/07 08:33, Sébastien Delafond wrote:
> On 06/07 16:43, Guilhem Moulin wrote:
> > This was assigned CVE-2020-15562 today.
> > 
> > For stretch-security I prepared 1.2.3+dfsg.1-4+deb9u6 with the attached
> > debdiff.

For stretch, the official security support technically ended on the 5th
of July; could you channel this update via SPU instead? This should be
done before this coming Saturday.

> > The package in buster is currently following the 1.3 branch, but
> > 1.3.14+dfsg.1-1~deb10u1 contains only the targeted fix.  Debdiff
> > attached.

This looks good, please upload to security-master (don't forget to use
-sa).

Cheers,

-- 
Seb