[Pkg-roundcube-maintainers] Security issues in roundcube 1.2.3+dfsg.1-4+deb9u4 and 1.3.11+dfsg.1-1~deb10u1

Sébastien Delafond seb at debian.org
Tue Jun 9 06:54:28 BST 2020


On 04/06 09:34, Sébastien Delafond wrote:
> thanks for your effort; I will request the CVE and also review your
> diffs, hopefully before the end of the week.

The CVEs are as follows:

  CVE-2020-13965 [Cross-Site Scripting (XSS) vulnerability via malicious XML messages]
	  - roundcube 1.4.5+dfsg.1-1 (bug #962124)
  CVE-2020-13964 [Cross-Site Scripting (XSS) vulnerability in template object 'username']
	  - roundcube 1.4.5+dfsg.1-1 (bug #962123)

The debdiff for buster looks good, but the one for stretch only mentions
#962123 and not #962124. Once you fix that, and include the CVEs in both
changelog, feel free to upload to security-master.

Cheers,

-- 
Seb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20200609/d0e2dd20/attachment.sig>


More information about the Pkg-roundcube-maintainers mailing list