[Pkg-roundcube-maintainers] Security issues in roundcube 1.2.3+dfsg.1-4+deb9u4 and 1.3.11+dfsg.1-1~deb10u1
Sébastien Delafond
seb at debian.org
Tue Jun 9 06:54:28 BST 2020
On 04/06 09:34, Sébastien Delafond wrote:
> thanks for your effort; I will request the CVE and also review your
> diffs, hopefully before the end of the week.
The CVEs are as follows:
CVE-2020-13965 [Cross-Site Scripting (XSS) vulnerability via malicious XML messages]
- roundcube 1.4.5+dfsg.1-1 (bug #962124)
CVE-2020-13964 [Cross-Site Scripting (XSS) vulnerability in template object 'username']
- roundcube 1.4.5+dfsg.1-1 (bug #962123)
The debdiff for buster looks good, but the one for stretch only mentions
#962123 and not #962124. Once you fix that, and include the CVEs in both
changelog, feel free to upload to security-master.
Cheers,
--
Seb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20200609/d0e2dd20/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list