[Pkg-roundcube-maintainers] roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content
Sylvain Beucler
beuc at beuc.net
Wed Jan 12 15:51:16 GMT 2022
Hi Guilhem,
On 12/01/2022 16:07, Guilhem Moulin wrote:
> On Wed, 12 Jan 2022 at 15:48:51 +0100, Sylvain Beucler wrote:
>> On 12/01/2022 14:15, Guilhem Moulin wrote:
>> Thanks for the update. Go ahead and upload to stretch-security, and I'll
>> publish the DLA accordingly :)
>
> Uploaded to security-master, thank you!
DLA-2878-1 is sent to the mailing list and www.d.o :)
>> (out of curiosity, was there an issue with keeping the
>> "$this->config['charset']" bit from the original patch?)
>
> Ah yeah, forgot to mention that bit :-) There was no issue as far as I
> could tell. I don't have a strong opinion either way, but given
> htmlspecialchars()'s optional 3rd argument was added for 1.4-beta in
> https://github.com/roundcube/roundcubemail/commit/73ea8f94d01a87c3b9e83c96d1b795ca27151f16
> I decided to drop it for stretch- and buster-security uploads.
Thanks for the precision.
Cheers!
Sylvain Beucler
Debian LTS Team
More information about the Pkg-roundcube-maintainers
mailing list