[Pkg-roundcube-maintainers] bookworm-security upload for CVE-2025-49113/roundcube
Moritz Mühlenhoff
jmm at inutil.org
Mon Jun 2 14:28:48 BST 2025
On Mon, Jun 02, 2025 at 01:45:10PM +0200, Guilhem Moulin wrote:
> Hi,
>
> I'd like to propose the attached tested debdiff to fix CVE-2025-49113 in
> roundcube. AFAICT neither upstream nor the reporter provided a PoC, but
> a simple way to trigger the attack is to edit app.js to pass a malicious
> crafted _from parameter when uploading an image. Such a request now
> fails with an “Invalid input” error.
>
> The debdiff also includes a regression fix for the CVE-2024-42009 patch.
> Both patches come from upstream's release-1.6 branch.
Thanks! This looks good. Please upload to security-master.
Cheers,
Moritz
More information about the Pkg-roundcube-maintainers
mailing list