[Pkg-roundcube-maintainers] Security issues in roundcube 1.3.16+dfsg.1-1~deb10u1 and 1.4.11+dfsg.1-4
Salvatore Bonaccorso
carnil at debian.org
Sat Nov 20 19:53:44 GMT 2021
Hi Guilhem,
On Thu, Nov 18, 2021 at 08:31:34PM +0100, Guilhem Moulin wrote:
> Dear security team,
>
> In a recent post [0] roundcube webmail upstream has announced the
> following security fixes:
>
> - Fix XSS issue in handling attachment filename extension in mimetype
> mismatch warning
> https://github.com/roundcube/roundcubemail/pull/8193
> - Fix possible SQL injection via some session variables
>
> Unfortunately upstream didn't assign CVEs (yet?); not sure whether the
> latter warrants a DSA, but the former probably does. Both issues are
> tracked as #1000156 in our BTS.
>
> The package in Buster is currently following the 1.3 branch so I guess
> it makes make sense to upload 1.3.17+dfsg.1-1~deb10u1 (roundcube-1.3.debdiff
> attached).
>
> Given 1.4 is nowadays a bugfix-only branch, I propose to do the same and
> upload 1.4.12+dfsg.1-1~deb11u1. If the attached roundcube-1.4.debdiff
> is beyond the scope of buster-security (it also contains a handful of
> cosmetic bugfixes as well as documentation fixes) I'll just apply these
> two commits:
>
> https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a
> https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1
>
> (And ask the release team if the rest would be suitable for s-p-u.)
>
> Both version have been tested. I would appreciate if you could take
> care of the CVE assignment as upstream often doesn't follow up. I'll
> hold the upload until the CVE are assigned so we have proper numbers in
> d/changelog.
Acknowleging we got your update proposal. I think Seb will come back
to you for the review and ack, as he did review on your earlier
proposals. Could you in meanwhile already add the assigned CVEs for
it? (They are CVE-2021-44025 and CVE-2021-44026).
I think it will make sense to follow the 1.4 branch as well for
bullseye(-security) in case it is like 1.3 a security and bugfix only
branch.
Regards,
Salvatore
More information about the Pkg-roundcube-maintainers
mailing list