[Pkg-roundcube-maintainers] CVE-2024-42009/roundcube: bookworm-security upload
Moritz Muehlenhoff
jmm at inutil.org
Wed Aug 7 08:18:53 BST 2024
On Tue, Aug 06, 2024 at 06:31:37PM +0200, Guilhem Moulin wrote:
> Dear security team,
>
> I misjudged the severity of CVE-2024-42009 when filing #1077969. The
> XSS appears to be critical, see the reporter's report at
> https://www.sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/
>
> I'd like to propose the attached tested debdiffs to fix that
> vulnerability as well as CVE-2024-42008, CVE-2024-42010, and a couple of
> of other issues. All patches were cherry-picked from upstream's 1.6.8
> release.
debdiff looks fine, please upload to security-master.
> Unfortunately for bullseye the backport requires more work. I'll try to
> do that ASAP but I'm not yet sure that I will have time to finalize it
> before the suite is handed over to the LTS team.
That's fine, sometimes packages need longer for oldstable and can always
be released later, we're e.g. also releasing Linux 5.10 and 6.1 on different
cadences. Or ffmpeg as well.
Cheers,
Moritz
More information about the Pkg-roundcube-maintainers
mailing list