[Pkg-roundcube-maintainers] Security issues in roundcube 1.2.3+dfsg.1-4+deb9u3 and 1.3.10+dfsg.1-1~deb10u1

Salvatore Bonaccorso carnil at debian.org
Wed May 6 04:54:59 BST 2020


Hi Guilhem,

On Thu, Apr 30, 2020 at 12:36:11AM +0200, Guilhem Moulin wrote:
> Dear security team,
> 
> In a recent mail roundcube webmail upstream has announced the following
> security fixes:
> 
>     - Cross-Site Scripting (XSS) via malicious HTML content
>     - CSRF attack can cause an authenticated user to be logged out
>       https://github.com/roundcube/roundcubemail/pull/7302
> 
> (Plus two more that are are irrelevant for Debian.)
> http://lists.roundcube.net/pipermail/announce/2020-April/thread.html

Have a question back on those. They got assigned in the last MITRE
feed update as CVE-2020-12640 and CVE-2020-12641 and are fixed thus
along as well with 1.4.4+dfsg.1-1 and 1.3.11+dfsg.1-1~deb10u1. But
with "are irrelevant" do you mean here because the respective settings 

$config['im_identify_path'] = null;
$config['im_convert_path'] = null;

in config/defaults.inc.php are here under admins control?

regards,
Salvatore



More information about the Pkg-roundcube-maintainers mailing list