[Pkg-roundcube-maintainers] CVE-2024-42009/roundcube: bullseye-security upload
Guilhem Moulin
guilhem at debian.org
Mon Aug 12 14:31:28 BST 2024
On Mon, 12 Aug 2024 at 14:53:22 +0200, Moritz Muehlenhoff wrote:
> On Mon, Aug 12, 2024 at 01:05:09PM +0200, Guilhem Moulin wrote:
>> On Tue, 06 Aug 2024 at 18:31:37 +0200, Guilhem Moulin wrote:
>>> Unfortunately for bullseye the backport requires more work. I'll try to
>>> do that ASAP but I'm not yet sure that I will have time to finalize it
>>> before the suite is handed over to the LTS team.
>>
>> Thanks for the bookworm DSA! Here comes a debdiff for bullseye-security.
>> The backports were quite intrusive but have now been thoroughly tested,
>> incl. on two production instances totaling ~200 users AFAIK none of whom
>> didn't report any misbehavior.
>
> Thanks! Looks good, please upload to security-master.
Done! (Meant “AFAIK none of whom reported any misbehavior” of course.)
>> Note that the original patch for CVE-2024-42008 introduces a regression
>> (#1078456): it sets a too restrictive Content-Security-Policy on the
>> attachment preview page which breaks printing and other handling of
>> image attachments. I backported the fix for 1.4.15+dfsg.1-1+deb11u4,
>> but 1.6.5+dfsg-1+deb12u3 is affected. I assume this doesn't warrant a
>> follow-up DSA, right? Will go via s-pu in that case.
>
> Given that it was introduced in a DSA, let's also address the regression
> in a DSA. What's in the bookworm branch on salsa looks good, can you
> please bump the version tp 1.6.5+dfsg-1+deb12u4 and also upload to security-master?
OK! Done that as well.
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20240812/4351ae97/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list