[Pkg-roundcube-maintainers] CVE-2024-42009/roundcube: bullseye-security upload
Moritz Muehlenhoff
jmm at inutil.org
Mon Aug 12 13:53:22 BST 2024
On Mon, Aug 12, 2024 at 01:05:09PM +0200, Guilhem Moulin wrote:
> Hi,
>
> On Tue, 06 Aug 2024 at 18:31:37 +0200, Guilhem Moulin wrote:
> > Unfortunately for bullseye the backport requires more work. I'll try to
> > do that ASAP but I'm not yet sure that I will have time to finalize it
> > before the suite is handed over to the LTS team.
>
> Thanks for the bookworm DSA! Here comes a debdiff for bullseye-security.
> The backports were quite intrusive but have now been thoroughly tested,
> incl. on two production instances totaling ~200 users AFAIK none of whom
> didn't report any misbehavior.
Thanks! Looks good, please upload to security-master.
> Note that the original patch for CVE-2024-42008 introduces a regression
> (#1078456): it sets a too restrictive Content-Security-Policy on the
> attachment preview page which breaks printing and other handling of
> image attachments. I backported the fix for 1.4.15+dfsg.1-1+deb11u4,
> but 1.6.5+dfsg-1+deb12u3 is affected. I assume this doesn't warrant a
> follow-up DSA, right? Will go via s-pu in that case.
Given that it was introduced in a DSA, let's also address the regression
in a DSA. What's in the bookworm branch on salsa looks good, can you
please bump the version tp 1.6.5+dfsg-1+deb12u4 and also upload to security-master?
Cheers,
Moritz
More information about the Pkg-roundcube-maintainers
mailing list