[Pkg-roundcube-maintainers] Security issues in roundcube 1.2.3+dfsg.1-4+deb9u3 and 1.3.10+dfsg.1-1~deb10u1
Salvatore Bonaccorso
carnil at debian.org
Wed May 6 04:54:59 BST 2020
Hi Guilhem,
On Thu, Apr 30, 2020 at 12:36:11AM +0200, Guilhem Moulin wrote:
> Dear security team,
>
> In a recent mail roundcube webmail upstream has announced the following
> security fixes:
>
> - Cross-Site Scripting (XSS) via malicious HTML content
> - CSRF attack can cause an authenticated user to be logged out
> https://github.com/roundcube/roundcubemail/pull/7302
>
> (Plus two more that are are irrelevant for Debian.)
> http://lists.roundcube.net/pipermail/announce/2020-April/thread.html
Have a question back on those. They got assigned in the last MITRE
feed update as CVE-2020-12640 and CVE-2020-12641 and are fixed thus
along as well with 1.4.4+dfsg.1-1 and 1.3.11+dfsg.1-1~deb10u1. But
with "are irrelevant" do you mean here because the respective settings
$config['im_identify_path'] = null;
$config['im_convert_path'] = null;
in config/defaults.inc.php are here under admins control?
regards,
Salvatore
More information about the Pkg-roundcube-maintainers
mailing list