Acknowledgement sent
to Guilhem Moulin <guilhem@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>.
(Sun, 02 Jan 2022 21:54:03 GMT) (full text, mbox, link).
Marked as found in versions roundcube/1.3.17+dfsg.1-1~deb10u1.
Request was from Guilhem Moulin <guilhem@debian.org>
to submit@bugs.debian.org.
(Sun, 02 Jan 2022 21:54:03 GMT) (full text, mbox, link).
Marked as found in versions roundcube/1.4.12+dfsg.1-1~deb11u1.
Request was from Guilhem Moulin <guilhem@debian.org>
to submit@bugs.debian.org.
(Sun, 02 Jan 2022 21:54:03 GMT) (full text, mbox, link).
Marked as fixed in versions roundcube/1.5.1+dfsg-1.
Request was from Guilhem Moulin <guilhem@debian.org>
to submit@bugs.debian.org.
(Sun, 02 Jan 2022 21:54:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>: Bug#1003027; Package roundcube.
(Mon, 03 Jan 2022 08:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>.
(Mon, 03 Jan 2022 08:51:04 GMT) (full text, mbox, link).
To: Guilhem Moulin <guilhem@debian.org>, 1003027@bugs.debian.org
Subject: Re: Bug#1003027: roundcube: XSS vulnerability via HTML messages with
malicious CSS content
Date: Mon, 3 Jan 2022 09:47:28 +0100
Hi Guilhem,
On Sun, Jan 02, 2022 at 10:50:25PM +0100, Guilhem Moulin wrote:
> Package: roundcube
> Severity: important
> Tags: security
> Control: found -1 1.3.17+dfsg.1-1~deb10u1
> Control: found -1 1.4.12+dfsg.1-1~deb11u1
> Control: fixed -1 1.5.1+dfsg-1
^^^^^^^^^^^^
Is this correct with the 1.5.1+dfsg-1 version? The release notes say
that it is fixed in 1.5.2 upstream. Asking for clarifying the
tracking.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>: Bug#1003027; Package roundcube.
(Mon, 03 Jan 2022 09:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Guilhem Moulin <guilhem@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>.
(Mon, 03 Jan 2022 09:00:02 GMT) (full text, mbox, link).
Control: notfixed -1 1.5.1+dfsg-1
Control: found -1 1.5.1+dfsg-1
Hi Salvatore!
On Mon, 03 Jan 2022 at 09:47:28 +0100, Salvatore Bonaccorso wrote:
> On Sun, Jan 02, 2022 at 10:50:25PM +0100, Guilhem Moulin wrote:
>> Package: roundcube
>> Severity: important
>> Tags: security
>> Control: found -1 1.3.17+dfsg.1-1~deb10u1
>> Control: found -1 1.4.12+dfsg.1-1~deb11u1
>> Control: fixed -1 1.5.1+dfsg-1
>
> ^^^^^^^^^^^^
>
> Is this correct with the 1.5.1+dfsg-1 version? The release notes say
> that it is fixed in 1.5.2 upstream. Asking for clarifying the
> tracking.
Oops sorry wrong copy-paste, well spotted! I'll propose uploads for
buster- and bullseye-security later today; meanwhile perhaps you or
another Security Team member would like to assign a CVE number for this?
Then I'll have the proper d/changelog right away :-)
I'm planning to upload 1.5.2+dfsg-1 to sid later today too, but note
that it won't enter testing because 1.5 is not fully compatible with PHP
8.1.
Cheers
--
Guilhem.
No longer marked as fixed in versions roundcube/1.5.1+dfsg-1.
Request was from Guilhem Moulin <guilhem@debian.org>
to 1003027-submit@bugs.debian.org.
(Mon, 03 Jan 2022 09:00:02 GMT) (full text, mbox, link).
Marked as found in versions roundcube/1.5.1+dfsg-1.
Request was from Guilhem Moulin <guilhem@debian.org>
to 1003027-submit@bugs.debian.org.
(Mon, 03 Jan 2022 09:00:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>: Bug#1003027; Package roundcube.
(Mon, 03 Jan 2022 09:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>.
(Mon, 03 Jan 2022 09:27:03 GMT) (full text, mbox, link).
Cc: 1003027@bugs.debian.org,
Debian Security Team <team@security.debian.org>
Subject: Re: Bug#1003027: roundcube: XSS vulnerability via HTML messages with
malicious CSS content
Date: Mon, 3 Jan 2022 10:22:49 +0100
Hi Guilhem,
On Mon, Jan 03, 2022 at 09:57:29AM +0100, Guilhem Moulin wrote:
> Control: notfixed -1 1.5.1+dfsg-1
> Control: found -1 1.5.1+dfsg-1
>
> Hi Salvatore!
>
> On Mon, 03 Jan 2022 at 09:47:28 +0100, Salvatore Bonaccorso wrote:
> > On Sun, Jan 02, 2022 at 10:50:25PM +0100, Guilhem Moulin wrote:
> >> Package: roundcube
> >> Severity: important
> >> Tags: security
> >> Control: found -1 1.3.17+dfsg.1-1~deb10u1
> >> Control: found -1 1.4.12+dfsg.1-1~deb11u1
> >> Control: fixed -1 1.5.1+dfsg-1
> >
> > ^^^^^^^^^^^^
> >
> > Is this correct with the 1.5.1+dfsg-1 version? The release notes say
> > that it is fixed in 1.5.2 upstream. Asking for clarifying the
> > tracking.
>
> Oops sorry wrong copy-paste, well spotted! I'll propose uploads for
> buster- and bullseye-security later today; meanwhile perhaps you or
> another Security Team member would like to assign a CVE number for this?
> Then I'll have the proper d/changelog right away :-)
>
> I'm planning to upload 1.5.2+dfsg-1 to sid later today too, but note
> that it won't enter testing because 1.5 is not fully compatible with PHP
> 8.1.
Thank you. I have requested a CVE, will update this bug once/if one is
assigned.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>: Bug#1003027; Package roundcube.
(Wed, 05 Jan 2022 19:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>.
(Wed, 05 Jan 2022 19:51:03 GMT) (full text, mbox, link).
Cc: Guilhem Moulin <guilhem@debian.org>,
Debian Security Team <team@security.debian.org>
Subject: Re: Bug#1003027: roundcube: XSS vulnerability via HTML messages with
malicious CSS content
Date: Wed, 5 Jan 2022 20:49:35 +0100
Hi Guilhem,
On Mon, Jan 03, 2022 at 10:22:49AM +0100, Salvatore Bonaccorso wrote:
> Hi Guilhem,
>
> On Mon, Jan 03, 2022 at 09:57:29AM +0100, Guilhem Moulin wrote:
> > Control: notfixed -1 1.5.1+dfsg-1
> > Control: found -1 1.5.1+dfsg-1
> >
> > Hi Salvatore!
> >
> > On Mon, 03 Jan 2022 at 09:47:28 +0100, Salvatore Bonaccorso wrote:
> > > On Sun, Jan 02, 2022 at 10:50:25PM +0100, Guilhem Moulin wrote:
> > >> Package: roundcube
> > >> Severity: important
> > >> Tags: security
> > >> Control: found -1 1.3.17+dfsg.1-1~deb10u1
> > >> Control: found -1 1.4.12+dfsg.1-1~deb11u1
> > >> Control: fixed -1 1.5.1+dfsg-1
> > >
> > > ^^^^^^^^^^^^
> > >
> > > Is this correct with the 1.5.1+dfsg-1 version? The release notes say
> > > that it is fixed in 1.5.2 upstream. Asking for clarifying the
> > > tracking.
> >
> > Oops sorry wrong copy-paste, well spotted! I'll propose uploads for
> > buster- and bullseye-security later today; meanwhile perhaps you or
> > another Security Team member would like to assign a CVE number for this?
> > Then I'll have the proper d/changelog right away :-)
> >
> > I'm planning to upload 1.5.2+dfsg-1 to sid later today too, but note
> > that it won't enter testing because 1.5 is not fully compatible with PHP
> > 8.1.
>
> Thank you. I have requested a CVE, will update this bug once/if one is
> assigned.
FTR, have not yet heard back on the assignment. We can wait a bit
longer, but just wanted to say we do not necessarily need to block on
the missing assignment if we want to release the DSA earlier. The
issue is not that urgent though I think that we could not wait a bit
longer.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>: Bug#1003027; Package roundcube.
(Wed, 05 Jan 2022 20:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Guilhem Moulin <guilhem@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>.
(Wed, 05 Jan 2022 20:24:02 GMT) (full text, mbox, link).
Hi carnil,
On Wed, 05 Jan 2022 at 20:49:35 +0100, Salvatore Bonaccorso wrote:
> FTR, have not yet heard back on the assignment. We can wait a bit
> longer, but just wanted to say we do not necessarily need to block on
> the missing assignment if we want to release the DSA earlier. The
> issue is not that urgent though I think that we could not wait a bit
> longer.
Thanks for the follow-up! I have the debdiff ready (modulo d/changelog)
but I agree with your assessment that the severity is not serious
enough to warrant rushing the DSA through. Let's wait a bit longer then :-)
cheers,
--
Guilhem.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>: Bug#1003027; Package roundcube.
(Thu, 06 Jan 2022 05:15:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>.
(Thu, 06 Jan 2022 05:15:02 GMT) (full text, mbox, link).
To: Guilhem Moulin <guilhem@debian.org>, 1003027@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Re: Bug#1003027: roundcube: XSS vulnerability via HTML messages with
malicious CSS content
Date: Thu, 6 Jan 2022 06:10:19 +0100
Control: retitle -1 roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content
Hi Guilhem,
On Wed, Jan 05, 2022 at 09:19:49PM +0100, Guilhem Moulin wrote:
> Hi carnil,
>
> On Wed, 05 Jan 2022 at 20:49:35 +0100, Salvatore Bonaccorso wrote:
> > FTR, have not yet heard back on the assignment. We can wait a bit
> > longer, but just wanted to say we do not necessarily need to block on
> > the missing assignment if we want to release the DSA earlier. The
> > issue is not that urgent though I think that we could not wait a bit
> > longer.
>
> Thanks for the follow-up! I have the debdiff ready (modulo d/changelog)
> but I agree with your assessment that the severity is not serious
> enough to warrant rushing the DSA through. Let's wait a bit longer then :-)
CVE-2021-46144 has been assigned for the roundcube issue.
Regards,
Salvatore
Changed Bug title to 'roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content' from 'roundcube: XSS vulnerability via HTML messages with malicious CSS content'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 1003027-submit@bugs.debian.org.
(Thu, 06 Jan 2022 05:15:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>: Bug#1003027; Package roundcube.
(Thu, 06 Jan 2022 08:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Sébastien Delafond <seb@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>.
(Thu, 06 Jan 2022 08:12:03 GMT) (full text, mbox, link).
Cc: Guilhem Moulin <guilhem@debian.org>, 1003027@bugs.debian.org,
Debian Security Team <team@security.debian.org>
Subject: Re: Bug#1003027: roundcube: XSS vulnerability via HTML messages with
malicious CSS content
Date: Thu, 6 Jan 2022 09:09:33 +0100
On 06/01 06:10, Salvatore Bonaccorso wrote:
> CVE-2021-46144 has been assigned for the roundcube issue.
Thanks for taking care of this Salvatore. I'll review the debdiffs once
Guilhem sends them, and will take care of the DSA afterwards.
Cheers,
--
Seb
Reply sent
to Guilhem Moulin <guilhem@debian.org>:
You have taken responsibility.
(Sat, 08 Jan 2022 18:21:06 GMT) (full text, mbox, link).
Notification sent
to Guilhem Moulin <guilhem@debian.org>:
Bug acknowledged by developer.
(Sat, 08 Jan 2022 18:21:06 GMT) (full text, mbox, link).
Subject: Bug#1003027: fixed in roundcube 1.4.13+dfsg.1-1~deb11u1
Date: Sat, 08 Jan 2022 18:17:28 +0000
Source: roundcube
Source-Version: 1.4.13+dfsg.1-1~deb11u1
Done: Guilhem Moulin <guilhem@debian.org>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1003027@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 06 Jan 2022 08:51:41 +0100
Source: roundcube
Architecture: source
Version: 1.4.13+dfsg.1-1~deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1003027
Changes:
roundcube (1.4.13+dfsg.1-1~deb11u1) bullseye-security; urgency=high
.
* New security upstream release, with fix for CVE-2021-46144: XSS
vulnerability via HTML messages with malicious CSS content
(closes: #1003027).
* Prepend '<!-- html ignored -->' to the test vector of the above.
* Refresh d/patches.
Checksums-Sha1:
efa538d07f4d452ee91c843b43743b76dbf30faa 3273 roundcube_1.4.13+dfsg.1-1~deb11u1.dsc
f9c69898927cf46e4584d34b60819f08af0ea117 128964 roundcube_1.4.13+dfsg.1.orig-tinymce-langs.tar.xz
5aaee9f2e9f58553c33fa69d4f71be3f556dea90 889088 roundcube_1.4.13+dfsg.1.orig-tinymce.tar.xz
acc74765a8e4e359adc3cf9fb3d183bd23552e5f 2976244 roundcube_1.4.13+dfsg.1.orig.tar.xz
273c658ba9d561f0af7e280c2327bf3d410abe6f 91040 roundcube_1.4.13+dfsg.1-1~deb11u1.debian.tar.xz
5071a85ccc2fe485a0ab2dd21777728c05dd8eb4 10585 roundcube_1.4.13+dfsg.1-1~deb11u1_amd64.buildinfo
Checksums-Sha256:
8a16af0ad367ce46b19d246ee2b4c955700dc062b544eb4012399a507df836c6 3273 roundcube_1.4.13+dfsg.1-1~deb11u1.dsc
b786481b871b1302dabb068901eb615a5401619f69bac491e17bdbf79b36773b 128964 roundcube_1.4.13+dfsg.1.orig-tinymce-langs.tar.xz
73d71c9e0185aa1467ae133679a8251cd94af47b95f86bc8a93a297abf0784bf 889088 roundcube_1.4.13+dfsg.1.orig-tinymce.tar.xz
50bc14df0a2733accb7bec3211359b483980b28cf46cfac9b3068d1e249bb2b3 2976244 roundcube_1.4.13+dfsg.1.orig.tar.xz
509502b8da46e5cd15dcfda0702f30e1fea519d2dfc865f06d62566652d70b9f 91040 roundcube_1.4.13+dfsg.1-1~deb11u1.debian.tar.xz
2157172695cafa510442114b4913ae45a35e50dea544b0128c73e54acdcb9f6c 10585 roundcube_1.4.13+dfsg.1-1~deb11u1_amd64.buildinfo
Files:
221eaeeee4e297e825e51976158e5c1f 3273 web optional roundcube_1.4.13+dfsg.1-1~deb11u1.dsc
f1e4cb20568ae981fcf088cf602c4821 128964 web optional roundcube_1.4.13+dfsg.1.orig-tinymce-langs.tar.xz
6f7b4451383ef251b0aede3eccb80379 889088 web optional roundcube_1.4.13+dfsg.1.orig-tinymce.tar.xz
f2c106af7479b7cf53728b7aa8f0fb63 2976244 web optional roundcube_1.4.13+dfsg.1.orig.tar.xz
78581f687ec2c8521958d62af1e0f091 91040 web optional roundcube_1.4.13+dfsg.1-1~deb11u1.debian.tar.xz
5cc509f38defa71e9017413d906c6418 10585 web optional roundcube_1.4.13+dfsg.1-1~deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmHWuOQACgkQ05pJnDwh
pVJDUg//SJm4KXHm1NW9vyT6cXIfg962QSpPy4w6KJsbZQBM/lzwAdlNIvh2vC4Z
dfzyqQ82tWco1+kI47HkHAypp1Mr/Txpax1vacKWSRMPSfnijwoRDBFzPiKROBJH
djovaubXmXIKBJm4XohyxFRI15re6SuPBT52BGoLwFUG/1zphEFo9dUv+H1pCmEJ
ZTMQ/QsGwaGKw4tMAz4RySUMF9+nhg5Yc0z8W3sIb2xy2qrbcETt5RoXxcLpFWTA
DCRlGN2/9SFUZNLGUj2MkEFQ1xybR9HgfLrwlNLjtAmTJqBLjUyWKMGxLFOcqqdj
941VI/d5DiIJA8eYFJS4xC+BaVJudRCLf8f17MKCDNmv5MscLq0HzviUqU9RYo/f
ThlefKgFjSEA8mhCEPxHU4lFabNN89hkCVD+tukfRGBzsQualL7zDksBpPJHybmK
QZ5dckl/+esk9Dgh43p4gVQ0FDlxk+6zBtLxIyz+nDo7+P3YX5SUNb1dAgTYNKLQ
QBSiG8ybTq5LvGLhqJo0ENUqEjahBlBKa7DmbmxV2+yCarNQlY8AavzrUy9uZiRz
0ozvvemPSzHlDLz5AknoXt4J9ePxvRT+cfdLEyMBGCLKb2f2Xjtk0ulpsJWXQ3hN
pqnrZ3ndRS2oRGi5oC8/uQTEIylbYfzAdJ1ZfizvzGn4/6hd/jY=
=24J0
-----END PGP SIGNATURE-----
Reply sent
to Guilhem Moulin <guilhem@debian.org>:
You have taken responsibility.
(Sat, 08 Jan 2022 19:21:07 GMT) (full text, mbox, link).
Notification sent
to Guilhem Moulin <guilhem@debian.org>:
Bug acknowledged by developer.
(Sat, 08 Jan 2022 19:21:07 GMT) (full text, mbox, link).
Subject: Bug#1003027: fixed in roundcube 1.3.17+dfsg.1-1~deb10u2
Date: Sat, 08 Jan 2022 19:17:39 +0000
Source: roundcube
Source-Version: 1.3.17+dfsg.1-1~deb10u2
Done: Guilhem Moulin <guilhem@debian.org>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1003027@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 06 Jan 2022 09:04:44 +0100
Source: roundcube
Architecture: source
Version: 1.3.17+dfsg.1-1~deb10u2
Distribution: buster-security
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1003027
Changes:
roundcube (1.3.17+dfsg.1-1~deb10u2) buster-security; urgency=high
.
* Backport fix for CVE-2021-46144: Fix cross-site scripting (XSS) via HTML
messages with malicious CSS content. (Closes: #1003027)
Checksums-Sha1:
0f40e80c8dadf9c3d025aa6016a698c6d51be627 2487 roundcube_1.3.17+dfsg.1-1~deb10u2.dsc
2c50b8e0a389e4f5e9b4c63d6a9fc9ca70925ebd 3055180 roundcube_1.3.17+dfsg.1-1~deb10u2.debian.tar.xz
c633c5bc933b914e77580fb6a8d4bcab325843b7 9339 roundcube_1.3.17+dfsg.1-1~deb10u2_amd64.buildinfo
Checksums-Sha256:
740e97fc765093232bbcaa7ce7610e1e4647914b0cd96299eb0c6a941333a329 2487 roundcube_1.3.17+dfsg.1-1~deb10u2.dsc
02df78bebf6c6d05591082ca7c7048be2fcd70faf13df0396481fe5ec0969ec5 3055180 roundcube_1.3.17+dfsg.1-1~deb10u2.debian.tar.xz
fdd0a30b045c37ebcd66270709d9ed6416bb70c1a6042f956d51719d1e697da3 9339 roundcube_1.3.17+dfsg.1-1~deb10u2_amd64.buildinfo
Files:
ee26756ff5132fb5aa1a4e84c461b2c1 2487 web optional roundcube_1.3.17+dfsg.1-1~deb10u2.dsc
0f9df581dc5488882e74e62ded4c55ee 3055180 web optional roundcube_1.3.17+dfsg.1-1~deb10u2.debian.tar.xz
1ee433b962c5671e25a33240f39e3d8b 9339 web optional roundcube_1.3.17+dfsg.1-1~deb10u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmHWxRgACgkQ05pJnDwh
pVLkgBAAr50Ah/kefUHMcVZw2g11QnXDppIBqG+RW+6w0C0VvZ+nihmIXvXYpUKu
mr4e6/hqSlZxTwHNnEZlhsG1dE5z0tA8yZyEccKeYc0EYOCXK9JCeF1H4KLmWAOj
YVdoGYQPuacPK+aqjEqFpjAd7x/CnSJXKCwN0hoA+o1UHpBQzGflqTywDxu3krgB
mmkr+6v1HfFlew92ido8qALZTOn9xFDS2iIncguutqVwabuvb2ffWHL/FnV44QAh
EMqREI74EB0zUwHO9ksVRnw1UKAWfa5isRTuQMFBLfUZRIEVapGnvCIwdZhYpITn
LS+3qF5CikbnNpww2M3Dk97Iu1cqfb0jr8RA7kQVSWhzKHDd9qrTHCWyj+2ABPDa
90O5YAJchZjo0teMZXPTRun+n27lC5C7f0DifmRF3rK+hGs2oXl1vyGmue0CtYyl
yTu2zNbn2TLHbH5XQhd6LDg7DuFj3NqS3qd+dKR0pvnUWYa15chro+tpjS/snNbc
s7SekrE5teKWLC7cyeFql7fP0vwMdbdj+DTe4iP2BS2tKwx9kVpNfv/wVm8ZTcKL
3CE6tY/4kxgg4VhvgBLdKA3IB4jv3BBL2ti4v4M5unY11QN1wiD/a5nf2/kn6Lml
qpnW7Pj8Is3LSZcgaGVGnB6EIkBHa2NMb0K8RXyefg8BUfhfT3A=
=UH8a
-----END PGP SIGNATURE-----
Marked as found in versions roundcube/1.3.0+dfsg.1-1.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sat, 12 Feb 2022 21:57:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>: Bug#1003027; Package roundcube.
(Sun, 13 Feb 2022 09:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>.
(Sun, 13 Feb 2022 09:09:02 GMT) (full text, mbox, link).
To: Guilhem Moulin <guilhem@debian.org>, 1003027@bugs.debian.org
Subject: Re: Bug#1003027: roundcube: XSS vulnerability via HTML messages with
malicious CSS content
Date: Sun, 13 Feb 2022 10:05:25 +0100
Control: severity -1 serious
Hi Guilhem,
On Mon, Jan 03, 2022 at 09:57:29AM +0100, Guilhem Moulin wrote:
> Control: notfixed -1 1.5.1+dfsg-1
> Control: found -1 1.5.1+dfsg-1
>
> Hi Salvatore!
>
> On Mon, 03 Jan 2022 at 09:47:28 +0100, Salvatore Bonaccorso wrote:
> > On Sun, Jan 02, 2022 at 10:50:25PM +0100, Guilhem Moulin wrote:
> >> Package: roundcube
> >> Severity: important
> >> Tags: security
> >> Control: found -1 1.3.17+dfsg.1-1~deb10u1
> >> Control: found -1 1.4.12+dfsg.1-1~deb11u1
> >> Control: fixed -1 1.5.1+dfsg-1
> >
> > ^^^^^^^^^^^^
> >
> > Is this correct with the 1.5.1+dfsg-1 version? The release notes say
> > that it is fixed in 1.5.2 upstream. Asking for clarifying the
> > tracking.
>
> Oops sorry wrong copy-paste, well spotted! I'll propose uploads for
> buster- and bullseye-security later today; meanwhile perhaps you or
> another Security Team member would like to assign a CVE number for this?
> Then I'll have the proper d/changelog right away :-)
>
> I'm planning to upload 1.5.2+dfsg-1 to sid later today too, but note
> that it won't enter testing because 1.5 is not fully compatible with PHP
> 8.1.
Raising the severity for this bug to RC, hope you are fine with it.
Rationale: As the issues are now fixed in buster and bullseye via a
DSA, this makes it a regression for bookworm (though I understand yet
roundcube cannot be uploaded for unstable/testing as for the PHP 8.1
compaitibility).
Regards,
Salvatore
Severity set to 'serious' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 1003027-submit@bugs.debian.org.
(Sun, 13 Feb 2022 09:09:02 GMT) (full text, mbox, link).
Reply sent
to Guilhem Moulin <guilhem@debian.org>:
You have taken responsibility.
(Mon, 14 Mar 2022 00:09:06 GMT) (full text, mbox, link).
Notification sent
to Guilhem Moulin <guilhem@debian.org>:
Bug acknowledged by developer.
(Mon, 14 Mar 2022 00:09:06 GMT) (full text, mbox, link).
Subject: Bug#1003027: fixed in roundcube 1.6~beta+dfsg-1
Date: Mon, 14 Mar 2022 00:06:38 +0000
Source: roundcube
Source-Version: 1.6~beta+dfsg-1
Done: Guilhem Moulin <guilhem@debian.org>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1003027@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 14 Mar 2022 00:16:05 +0100
Source: roundcube
Architecture: source
Version: 1.6~beta+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 10006421003027
Changes:
roundcube (1.6~beta+dfsg-1) experimental; urgency=medium
.
* New beta upstream release. Highlights for major version 1.6 include:
- Full PHP 8.1 support (closes: #1000642)
- Unified and simplified services connection options:
. renamed `default_host` resp. `smtp_server` to `imap_host` resp.
`smtp_host`
. removed `default_port`, `smtp_port`, `managesieve_port` and
`managesieve_usetls` options
- The classic and larry skins are no longer included in the upstream
repository hence are excluded from this source package; we will ship in
separate packages.
* Add d/roundcube-core.NEWS to highlight the above.
* Update default value for roundcube/hosts template to "localhost:143" to
match the upstream default.
* Update d/copyright.
* Update d/sql.
* Refresh d/patches. Remove the following patches (now obsolete or applied
upstream):
- fix-FTBFS-with-phpunit-8.patch
- fix-file-list-in-phpunit-configuration.patch
- fix-FTBFS-with-phpunit-9.patch
* Add patch to fix `$rcmail->format_date(.., 'x')` calls.
* Remove mismatched Lintian override.
* Add 'Restrictions: rw-build-tree' to the phpunit DEP-8 test as it writes
into tests/.phpunit.result.cache.
* Add aspell-en and php-pspell to Build-Depends (unless under 'nocheck'
build profile) and DEP-8 test to test Framework_SpellcheckerPspell.
* Add hunspell-en-us and php-enchant to Build-Depends (unless under
'nocheck' build profile) and DEP-8 test to test
Framework_SpellcheckerEnchant.
* Add php-roundcube-rtf-html-php to Build-Depends (unless under 'nocheck'
build profile) and DEP-8 test to test Framework_TnefDecoder.
* Add php-bacon-qr-code to Build-Depends (unless under 'nocheck'
build profile) and DEP-8 test to test Actions_Contacts_Qrcode.
* d/rules, d/t/control: Mark flaky tests as such and run phpunit with
`--exclude-group=flaky --fail-on-skipped` in build-time and DEP-8 tests.
* CI: Disable piuparts which is bound to fail due to the schema upgrade.
* d/rules: Replace '$(dir $@)' with '$(@D)'.
.
roundcube (1.5.2+dfsg-1) unstable; urgency=medium
.
* New upstream bugfix & security release (closes: #1003027).
Checksums-Sha1:
c08eacebcb679e3a89235c96fdcd86d31c9adcaf 3820 roundcube_1.6~beta+dfsg-1.dsc
2c624157a719e669cfceb8bad36dfae26895c37d 220752 roundcube_1.6~beta+dfsg.orig-tinymce-langs.tar.xz
b273871574a7fc8df73501c05500e7f7e4a5e097 1858372 roundcube_1.6~beta+dfsg.orig-tinymce.tar.xz
32bc866e1b7707b0f4a05ed673b6558db7ce302a 2739560 roundcube_1.6~beta+dfsg.orig.tar.xz
f2be4c3648df36b210a563d8ca2902220ddf5b95 93916 roundcube_1.6~beta+dfsg-1.debian.tar.xz
9a6554181457149a5b749498430a23e09edd16e7 13352 roundcube_1.6~beta+dfsg-1_amd64.buildinfo
Checksums-Sha256:
ef2f7ee191bfe9d23a45811180d2870dcc03c9e13a6cb862d2e69ff048d6499f 3820 roundcube_1.6~beta+dfsg-1.dsc
65832c34e8f47df2e6392b98b0c4868e3e0ff3c3ffd3b2af42471b0fd22bc50e 220752 roundcube_1.6~beta+dfsg.orig-tinymce-langs.tar.xz
c44c83ec9f64daa3f09c4be1db728f0cbc74870c58bcc768a27aad49b409622a 1858372 roundcube_1.6~beta+dfsg.orig-tinymce.tar.xz
ebe1d8b568bea8c7a365bf96920b1a88d6c35c6fa0d24583c985968a74300d30 2739560 roundcube_1.6~beta+dfsg.orig.tar.xz
1a8311a06d8655d7bc1b9ff57f0b0b89e489d4067960f40578aa98239c3b7252 93916 roundcube_1.6~beta+dfsg-1.debian.tar.xz
017c45f1168da12bcb6daa8ad9007e178fb4cb1082ab376cadb963cd42aaeec6 13352 roundcube_1.6~beta+dfsg-1_amd64.buildinfo
Files:
3e36d5c15b1426019437f850c5ac82b3 3820 web optional roundcube_1.6~beta+dfsg-1.dsc
aab335b8120455291187689d6d2372a1 220752 web optional roundcube_1.6~beta+dfsg.orig-tinymce-langs.tar.xz
136b6c37f73db70c0364fce4f9cddc2b 1858372 web optional roundcube_1.6~beta+dfsg.orig-tinymce.tar.xz
d38e21ec5feec612cf8949e28919c8b4 2739560 web optional roundcube_1.6~beta+dfsg.orig.tar.xz
d9defe17bdfe574648ef767b8193949f 93916 web optional roundcube_1.6~beta+dfsg-1.debian.tar.xz
97dd54a0269aebbf8398b4372166bdf9 13352 web optional roundcube_1.6~beta+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmIue8UACgkQ05pJnDwh
pVLqSBAAo7JIpy3UJiudu5N9RdnKyE912qHw5auB+nEJc3vl+0VkXden7ckpFzej
jkY+BHwih+j4jI1vIYsd941jMmvmbPUdqihWqJVCbOv2FFXJ1ERBvaTTEzET8XNo
iZoLebwNpD/swnmB+rn+QB8ACkxnV10BGQxN8hm/qJO/zpa4Ts+rgnoeyG5BW388
ch1zFucXNgRrLVid1evsHgKiKq95aquzGFSzi8U/L5jV9Xzzt52s4WjdYNrIaCjI
mCPigAF9WbP+L4rVc5Yjj7PxhRL11JIOSp05iB6QuHwlf8pDQNhT7n9SLOqEsi7B
GwjE8v/U7jFwCYff5Ketiy9YhFMG9izxwL/q3xhJI5Rybs5+VmStM7Tiph7lNKL/
aKBsRbRwdjnHtqzvj/W1Y4dAhTCnKErKQ+5QB+bqF/LzRucoEbjSEKZDoKzy9FG8
pSHKWRXSpVg7QLDBpI+TQ52wB5V58Fs7PLP6NuYtH0bBIuB4RV2+u06x4r6xIGF0
AFoeSgi2Z+N23XqyPdHeWDdz569swPZxQoRULwqewcsvMULJ7xcxWBq8H3lcTYLp
x6XGDEzituLqFryBURTGkdyxTlrk4FfIIH+NFbxXpqZ53y8B/omjs6IC138l8yQw
RXriyvemDJIG5QtzaUpv61mAQoZMxYizzVDPfiYybZCyOPUYFa8=
=zj/X
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 30 Jul 2022 07:25:54 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.