[Pkg-roundcube-maintainers] Bug#1003027: roundcube: XSS vulnerability via HTML messages with malicious CSS content
Salvatore Bonaccorso
carnil at debian.org
Sun Feb 13 09:05:25 GMT 2022
Control: severity -1 serious
Hi Guilhem,
On Mon, Jan 03, 2022 at 09:57:29AM +0100, Guilhem Moulin wrote:
> Control: notfixed -1 1.5.1+dfsg-1
> Control: found -1 1.5.1+dfsg-1
>
> Hi Salvatore!
>
> On Mon, 03 Jan 2022 at 09:47:28 +0100, Salvatore Bonaccorso wrote:
> > On Sun, Jan 02, 2022 at 10:50:25PM +0100, Guilhem Moulin wrote:
> >> Package: roundcube
> >> Severity: important
> >> Tags: security
> >> Control: found -1 1.3.17+dfsg.1-1~deb10u1
> >> Control: found -1 1.4.12+dfsg.1-1~deb11u1
> >> Control: fixed -1 1.5.1+dfsg-1
> >
> > ^^^^^^^^^^^^
> >
> > Is this correct with the 1.5.1+dfsg-1 version? The release notes say
> > that it is fixed in 1.5.2 upstream. Asking for clarifying the
> > tracking.
>
> Oops sorry wrong copy-paste, well spotted! I'll propose uploads for
> buster- and bullseye-security later today; meanwhile perhaps you or
> another Security Team member would like to assign a CVE number for this?
> Then I'll have the proper d/changelog right away :-)
>
> I'm planning to upload 1.5.2+dfsg-1 to sid later today too, but note
> that it won't enter testing because 1.5 is not fully compatible with PHP
> 8.1.
Raising the severity for this bug to RC, hope you are fine with it.
Rationale: As the issues are now fixed in buster and bullseye via a
DSA, this makes it a regression for bookworm (though I understand yet
roundcube cannot be uploaded for unstable/testing as for the PHP 8.1
compaitibility).
Regards,
Salvatore
More information about the Pkg-roundcube-maintainers
mailing list