[Pkg-roundcube-maintainers] Bug#1003027: roundcube: XSS vulnerability via HTML messages with malicious CSS content

Salvatore Bonaccorso carnil at debian.org
Wed Jan 5 19:49:35 GMT 2022


Hi Guilhem,

On Mon, Jan 03, 2022 at 10:22:49AM +0100, Salvatore Bonaccorso wrote:
> Hi Guilhem,
> 
> On Mon, Jan 03, 2022 at 09:57:29AM +0100, Guilhem Moulin wrote:
> > Control: notfixed -1 1.5.1+dfsg-1
> > Control: found -1 1.5.1+dfsg-1
> > 
> > Hi Salvatore!
> > 
> > On Mon, 03 Jan 2022 at 09:47:28 +0100, Salvatore Bonaccorso wrote:
> > > On Sun, Jan 02, 2022 at 10:50:25PM +0100, Guilhem Moulin wrote:
> > >> Package: roundcube
> > >> Severity: important
> > >> Tags: security
> > >> Control: found -1 1.3.17+dfsg.1-1~deb10u1
> > >> Control: found -1 1.4.12+dfsg.1-1~deb11u1
> > >> Control: fixed -1 1.5.1+dfsg-1
> > > 
> > >                 ^^^^^^^^^^^^
> > > 
> > > Is this correct with the 1.5.1+dfsg-1 version? The release notes say
> > > that it is fixed in 1.5.2 upstream. Asking for clarifying the
> > > tracking.
> > 
> > Oops sorry wrong copy-paste, well spotted!  I'll propose uploads for
> > buster- and bullseye-security later today; meanwhile perhaps you or
> > another Security Team member would like to assign a CVE number for this?
> > Then I'll have the proper d/changelog right away :-)
> > 
> > I'm planning to upload 1.5.2+dfsg-1 to sid later today too, but note
> > that it won't enter testing because 1.5 is not fully compatible with PHP
> > 8.1.
> 
> Thank you. I have requested a CVE, will update this bug once/if one is
> assigned.

FTR, have not yet heard back on the assignment. We can wait a bit
longer, but just wanted to say we do not necessarily need to block on
the missing assignment if we want to release the DSA earlier. The
issue is not that urgent though I think that we could not wait a bit
longer.

Regards,
Salvatore



More information about the Pkg-roundcube-maintainers mailing list