[Pkg-roundcube-maintainers] CVE-2024-42009/roundcube: bookworm-security upload
Moritz Mühlenhoff
jmm at inutil.org
Thu Aug 8 11:50:10 BST 2024
Am Wed, Aug 07, 2024 at 09:18:53AM +0200 schrieb Moritz Muehlenhoff:
> On Tue, Aug 06, 2024 at 06:31:37PM +0200, Guilhem Moulin wrote:
> > Dear security team,
> >
> > I misjudged the severity of CVE-2024-42009 when filing #1077969. The
> > XSS appears to be critical, see the reporter's report at
> > https://www.sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/
> >
> > I'd like to propose the attached tested debdiffs to fix that
> > vulnerability as well as CVE-2024-42008, CVE-2024-42010, and a couple of
> > of other issues. All patches were cherry-picked from upstream's 1.6.8
> > release.
>
> debdiff looks fine, please upload to security-master.
DSA has been released, thanks!
Cheers,
Moritz
More information about the Pkg-roundcube-maintainers
mailing list