[Pkg-roundcube-maintainers] Bug#1003027: roundcube: XSS vulnerability via HTML messages with malicious CSS content

Guilhem Moulin guilhem at debian.org
Mon Jan 3 08:57:29 GMT 2022


Control: notfixed -1 1.5.1+dfsg-1
Control: found -1 1.5.1+dfsg-1

Hi Salvatore!

On Mon, 03 Jan 2022 at 09:47:28 +0100, Salvatore Bonaccorso wrote:
> On Sun, Jan 02, 2022 at 10:50:25PM +0100, Guilhem Moulin wrote:
>> Package: roundcube
>> Severity: important
>> Tags: security
>> Control: found -1 1.3.17+dfsg.1-1~deb10u1
>> Control: found -1 1.4.12+dfsg.1-1~deb11u1
>> Control: fixed -1 1.5.1+dfsg-1
> 
>                 ^^^^^^^^^^^^
> 
> Is this correct with the 1.5.1+dfsg-1 version? The release notes say
> that it is fixed in 1.5.2 upstream. Asking for clarifying the
> tracking.

Oops sorry wrong copy-paste, well spotted!  I'll propose uploads for
buster- and bullseye-security later today; meanwhile perhaps you or
another Security Team member would like to assign a CVE number for this?
Then I'll have the proper d/changelog right away :-)

I'm planning to upload 1.5.2+dfsg-1 to sid later today too, but note
that it won't enter testing because 1.5 is not fully compatible with PHP
8.1.

Cheers
-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20220103/b2e302ca/attachment.sig>


More information about the Pkg-roundcube-maintainers mailing list