[Pkg-roundcube-maintainers] Security issues in roundcube 1.2.3+dfsg.1-4+deb9u4 and 1.3.11+dfsg.1-1~deb10u1
Sébastien Delafond
seb at debian.org
Thu Jun 4 08:34:06 BST 2020
On 04/06 00:59, Guilhem Moulin wrote:
> Unfortunately upstream didn't assign CVEs (yet?), however the issues are
> respectively tracked in our BTS as #962123 and #962124.
>
> For stretch-security I prepared 1.2.3+dfsg.1-4+deb9u5 with the attached
> debdiff.
>
> The package in buster is currently following the 1.3 branch so I guess
> it makes make sense to upload 1.3.12+dfsg.1-1~deb10u1 with the second
> debdiff attached. If it's beyond the scope of buster-security I'll
> just apply these two commits:
>
> https://github.com/roundcube/roundcubemail/commit/37e2bc745723ef6322f0f785aefd0b9313a40f19
> https://github.com/roundcube/roundcubemail/commit/884eb611627ef2bd5a2e20e02009ebb1eceecdc3
>
> Both version have been tested. I would appreciate if you could take
> care of the CVE assignments as upstream often doesn't. I'll hold the
> upload until the CVE are assigned so we have proper numbers in
> d/changelog.
Hi Guilhem,
thanks for your effort; I will request the CVE and also review your
diffs, hopefully before the end of the week.
Cheers,
--
Seb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20200604/f049ce07/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list