[Pkg-roundcube-maintainers] CVE-2023-5631/roundcube: {bullseye, bookworm}-security uploads
Sébastien Delafond
seb at debian.org
Fri Oct 20 05:29:04 BST 2023
On Thu, Oct 19 2023, Guilhem Moulin wrote:
> I'd like to propose the attach debdiffs (patch-applied, excluding
> debian/patches) to fix CVE-2023-5631/roundcube.
>
> Bullseye and Bookworm have respectively been following upstream's LTS
> (1.4) and stable (1.6) branch, so I imported 1.4.15 resp. 1.6.4 rather
> than doing a targeted fix. For 1.4.15 the diff contains only that
> fix, for 1.6.4 there are a few other changes, but no new features.
>
> The d/rules change for 1.6 is because upstream used to update version
> numbers incl. the minor version in the tagged code, but since 1.6.2
> this is no longer the case and the about dialog shows ‘1.6-git’ rather
> than ‘1.6.4’. The new sed command are taken from the upstream
> Makefile, and the result (checked via DEP-8) matches what can be found
> in the upstream tarball. The effect is only cosmetic, but if you
> prefer I can replace it with a static patch in debian/patches.
>
> Both 1.4.15+dfsg.1-1~deb11u1 and 1.6.4+dfsg-1~deb12u1 have been
> tested.
Hi Guilhem,
thanks for the debdiffs, I will review those hopefully later today.
Cheers,
--
Seb
More information about the Pkg-roundcube-maintainers
mailing list