[Pkg-roundcube-maintainers] Bug#1052059: closed by Debian FTP Masters <ftpmaster at ftp-master.debian.org> (reply to Guilhem Moulin <guilhem at debian.org>) (Bug#1052059: fixed in roundcube 1.4.14+dfsg.1-1~deb11u1)

Martin Dosch martin at mdosch.de
Wed Sep 27 19:34:59 BST 2023 

Dear Guilhem,

thank you very much for taking care of this. :)

Best regards,
Martin

On 27.09.2023 18:33, Debian Bug Tracking System wrote:
>This is an automatic notification regarding your Bug report
>which was filed against the roundcube package:
>
>#1052059: roundcube: CVE-2023-43770: XSS vulnerability in handling of linkrefs in plain text messages
>
>It has been closed by Debian FTP Masters <ftpmaster at ftp-master.debian.org> (reply to Guilhem Moulin <guilhem at debian.org>).
>
>Their explanation is attached below along with your original report.
>If this explanation is unsatisfactory and you have not received a
>better one in a separate message then please contact Debian FTP Masters <ftpmaster at ftp-master.debian.org> (reply to Guilhem Moulin <guilhem at debian.org>) by
>replying to this email.
>
>
>-- 
>1052059: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052059
>Debian Bug Tracking System
>Contact owner at bugs.debian.org with problems

>Date: Wed, 27 Sep 2023 18:32:31 +0000
>From: Debian FTP Masters <ftpmaster at ftp-master.debian.org>
>To: 1052059-close at bugs.debian.org
>Subject: Bug#1052059: fixed in roundcube 1.4.14+dfsg.1-1~deb11u1
>
>Source: roundcube
>Source-Version: 1.4.14+dfsg.1-1~deb11u1
>Done: Guilhem Moulin <guilhem at debian.org>
>
>We believe that the bug you reported is fixed in the latest version of
>roundcube, which is due to be installed in the Debian FTP archive.
>
>A summary of the changes between this version and the previous one is
>attached.
>
>Thank you for reporting the bug, which will now be closed.  If you
>have further comments please address them to 1052059 at bugs.debian.org,
>and the maintainer will reopen the bug report if appropriate.
>
>Debian distribution maintenance software
>pp.
>Guilhem Moulin <guilhem at debian.org> (supplier of updated roundcube package)
>
>(This message was generated automatically at their request; if you
>believe that there is a problem with it please contact the archive
>administrators by mailing ftpmaster at ftp-master.debian.org)
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
>Format: 1.8
>Date: Mon, 25 Sep 2023 11:32:59 +0200
>Source: roundcube
>Architecture: source
>Version: 1.4.14+dfsg.1-1~deb11u1
>Distribution: bullseye
>Urgency: high
>Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers at alioth-lists.debian.net>
>Changed-By: Guilhem Moulin <guilhem at debian.org>
>Closes: 1052059
>Changes:
> roundcube (1.4.14+dfsg.1-1~deb11u1) bullseye; urgency=high
> .
>   * New security/bugfix upstream release:
>     + Fix CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling
>       of linkrefs in plain text messages. (Closes: #1052059)
>     + Enigma: Fix initial synchronization of private keys.
>   * d/u/signing-key.asc: Add Alec's key BEE674A019359DC1.
>   * Refresh d/patches.
>Checksums-Sha1:
> 03ff1569103e0bc2b1624508244174164c791a1e 3273 roundcube_1.4.14+dfsg.1-1~deb11u1.dsc
> af31fa3812ab1cd0629bb924a255e654fc6e5904 128856 roundcube_1.4.14+dfsg.1.orig-tinymce-langs.tar.xz
> 679a15643cba8d1f9413e0d98bd8e6986d893b28 889132 roundcube_1.4.14+dfsg.1.orig-tinymce.tar.xz
> 5b83ebfa6481eea55f1f2f6ce2eb01a9b6e95a61 2976108 roundcube_1.4.14+dfsg.1.orig.tar.xz
> 850fe4072f27d3195bdd7424f3c01134e59ef869 94968 roundcube_1.4.14+dfsg.1-1~deb11u1.debian.tar.xz
> 053d2fcbb21816af133e4c94312be9119a6f2f51 10821 roundcube_1.4.14+dfsg.1-1~deb11u1_amd64.buildinfo
>Checksums-Sha256:
> eb664fd1a08be44630c25cbfe897b087a4b1e8c3d72da407c0fb7fd797f8be2e 3273 roundcube_1.4.14+dfsg.1-1~deb11u1.dsc
> 652859555790d44159521c22ea9d43eb8a05b5eb4728760ba6ea02676ea9ad06 128856 roundcube_1.4.14+dfsg.1.orig-tinymce-langs.tar.xz
> 570038d21a89986e238582359a8d864bdd13e3fc47e322c88a9d0dc0f29baf01 889132 roundcube_1.4.14+dfsg.1.orig-tinymce.tar.xz
> 116f5129984fc38d1441e475a42896470e105db8c8e1092a963133643f7925e0 2976108 roundcube_1.4.14+dfsg.1.orig.tar.xz
> b03d8140e3f7f96eae5b0d73f4c5a19cffc8584ce46035068889433e6c5fdc65 94968 roundcube_1.4.14+dfsg.1-1~deb11u1.debian.tar.xz
> 89bc15af5d6e6c7ff2eaf3b8b1ae93dd2e0ba6130d9d68af5655bd8625052316 10821 roundcube_1.4.14+dfsg.1-1~deb11u1_amd64.buildinfo
>Files:
> ce4e93c339a78d6d2585ad3549c1e3d9 3273 web optional roundcube_1.4.14+dfsg.1-1~deb11u1.dsc
> 1cd21dbf082a39086f80035274ae0505 128856 web optional roundcube_1.4.14+dfsg.1.orig-tinymce-langs.tar.xz
> 0bed51c23db9c8bb84b56a9403acf47d 889132 web optional roundcube_1.4.14+dfsg.1.orig-tinymce.tar.xz
> b12f36a36d6fa76a9644878d7482b1de 2976108 web optional roundcube_1.4.14+dfsg.1.orig.tar.xz
> c8144dce52d1c3b4a110f5d3c60d5380 94968 web optional roundcube_1.4.14+dfsg.1-1~deb11u1.debian.tar.xz
> 63a1a7c4457511942108958a6340a901 10821 web optional roundcube_1.4.14+dfsg.1-1~deb11u1_amd64.buildinfo
>
>-----BEGIN PGP SIGNATURE-----
>
>iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmURV70ACgkQ05pJnDwh
>pVKrYhAAlmDTcICPdEbl1XeLMXX7/5y5+l9+G23U3O6iBCyCLtQfkA8gwyINnnIV
>iMIgGRSdidy0u6wDpG4KSGI51W3eLCyGbevpDY4kb+4dc8DQVv0Ak+wxIKC1207n
>oe5xXib3K4JLdR+Osn0IegypDDiyph9YZKiAW2/rS+L9fniNf5ji2MuWNODDc6ZY
>Zhe1xOf2L66drm1hcdiH5mtpLvkNMwNABu27sFm3VL49pjNTKVNLck4N2klN9T1R
>E7YPQI2EH+7mVN41gOqBzrhnF8W5jQMJHss9cw2SC9QMyZ4RGGEAO636BovlSAiy
>SLWy9625jQp58R8BTL2dEsVDvKzMgESOy8B2AWN+Zo22pSAkp9Ry5raCZK2U7kqR
>QE62AQnneETspQRo6o0KPoTYZjj+gAMHUYbYCy4UrCD+w3YInpzLoICS4i7gAvxu
>Yt/xQYBPCVmAgNOZYW2Xx3dAh9BN8hrOCn+ofBB7eTAMrgH2pPbUBvh58J2J6w5i
>X02mjXaQ0iZ0V7077z9XUscRkvNt6ppt2CWuQKKo7WpDJ1qf+RdRvIbIpfX7Jr0H
>1976Vhs4QJ5UGsTIE56xz9fGVu/RfaXNn0UAcwCEyRmEyTm/Hc+Lz9wzmM0lZYMU
>khl9Bowj2LDVE4SQK7sg5HLEykOHWc+A+5SaIUHmmN7UWjsJ89g=
>=in2Q
>-----END PGP SIGNATURE-----

>Date: Sat, 16 Sep 2023 20:44:16 +0200
>From: Martin Dosch <martin at mdosch.de>
>To: Debian Bug Tracking System <submit at bugs.debian.org>
>Subject: roundcube: Please apply security fix from 1.6.3
>Jabber-ID: martin at mdosch.de
>
>Package: roundcube
>Severity: normal
>Tags: upstream
>
>Dear Maintainer,
>
>upstream released version 1.6.3 which fixes a security issue with the
>1.6.x and I kindly ask you to apply the fix for the version in debian
>stable.
>
>https://roundcube.net/news/2023/09/15/security-update-1.6.3-released
>
>Best regards,
>Martin
>
>-- System Information:
>Debian Release: 12.1
>  APT prefers stable-updates
>  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
>Architecture: amd64 (x86_64)
>Foreign Architectures: i386
>
>Kernel: Linux 6.1.0-12-amd64 (SMP w/4 CPU threads; PREEMPT)
>Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
>Shell: /bin/sh linked to /usr/bin/dash
>Init: systemd (via /run/systemd/system)
>LSM: AppArmor: enabled
>
>Versions of packages roundcube depends on:
>ii  dpkg            1.21.22
>pn  roundcube-core  <none>
>
>roundcube recommends no packages.
>
>roundcube suggests no packages.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20230927/ab328b93/attachment-0001.sig>

More information about the Pkg-roundcube-maintainers mailing list