Your message dated Sat, 08 Jan 2022 18:17:28 +0000
with message-id <[email protected]>
and subject line Bug#1003027: fixed in roundcube 1.4.13+dfsg.1-1~deb11u1
has caused the Debian Bug report #1003027,
regarding roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with
malicious CSS content
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1003027: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003027
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: roundcube
Severity: important
Tags: security
Control: found -1 1.3.17+dfsg.1-1~deb10u1
Control: found -1 1.4.12+dfsg.1-1~deb11u1
Control: fixed -1 1.5.1+dfsg-1
In a recent post roundcube webmail upstream has announced a fix for a
cross-site scripting (XSS) vulnerability via HTML messages with
malicious CSS content.
Upstream fix for the 1.4 LTS branch:
https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8
There was no new 1.3 LTS release but AFAICT 1.3 is affected as well and
the same fix applies.
--
Guilhem.
[0] https://roundcube.net/news/2021/12/30/security-update-1.4.13-released
https://roundcube.net/news/2021/12/30/update-1.5.2-released
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: roundcube
Source-Version: 1.4.13+dfsg.1-1~deb11u1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 06 Jan 2022 08:51:41 +0100
Source: roundcube
Architecture: source
Version: 1.4.13+dfsg.1-1~deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Roundcube Maintainers
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1003027
Changes:
roundcube (1.4.13+dfsg.1-1~deb11u1) bullseye-security; urgency=high
.
* New security upstream release, with fix for CVE-2021-46144: XSS
vulnerability via HTML messages with malicious CSS content
(closes: #1003027).
* Prepend '<!-- html ignored -->' to the test vector of the above.
* Refresh d/patches.
Checksums-Sha1:
efa538d07f4d452ee91c843b43743b76dbf30faa 3273
roundcube_1.4.13+dfsg.1-1~deb11u1.dsc
f9c69898927cf46e4584d34b60819f08af0ea117 128964
roundcube_1.4.13+dfsg.1.orig-tinymce-langs.tar.xz
5aaee9f2e9f58553c33fa69d4f71be3f556dea90 889088
roundcube_1.4.13+dfsg.1.orig-tinymce.tar.xz
acc74765a8e4e359adc3cf9fb3d183bd23552e5f 2976244
roundcube_1.4.13+dfsg.1.orig.tar.xz
273c658ba9d561f0af7e280c2327bf3d410abe6f 91040
roundcube_1.4.13+dfsg.1-1~deb11u1.debian.tar.xz
5071a85ccc2fe485a0ab2dd21777728c05dd8eb4 10585
roundcube_1.4.13+dfsg.1-1~deb11u1_amd64.buildinfo
Checksums-Sha256:
8a16af0ad367ce46b19d246ee2b4c955700dc062b544eb4012399a507df836c6 3273
roundcube_1.4.13+dfsg.1-1~deb11u1.dsc
b786481b871b1302dabb068901eb615a5401619f69bac491e17bdbf79b36773b 128964
roundcube_1.4.13+dfsg.1.orig-tinymce-langs.tar.xz
73d71c9e0185aa1467ae133679a8251cd94af47b95f86bc8a93a297abf0784bf 889088
roundcube_1.4.13+dfsg.1.orig-tinymce.tar.xz
50bc14df0a2733accb7bec3211359b483980b28cf46cfac9b3068d1e249bb2b3 2976244
roundcube_1.4.13+dfsg.1.orig.tar.xz
509502b8da46e5cd15dcfda0702f30e1fea519d2dfc865f06d62566652d70b9f 91040
roundcube_1.4.13+dfsg.1-1~deb11u1.debian.tar.xz
2157172695cafa510442114b4913ae45a35e50dea544b0128c73e54acdcb9f6c 10585
roundcube_1.4.13+dfsg.1-1~deb11u1_amd64.buildinfo
Files:
221eaeeee4e297e825e51976158e5c1f 3273 web optional
roundcube_1.4.13+dfsg.1-1~deb11u1.dsc
f1e4cb20568ae981fcf088cf602c4821 128964 web optional
roundcube_1.4.13+dfsg.1.orig-tinymce-langs.tar.xz
6f7b4451383ef251b0aede3eccb80379 889088 web optional
roundcube_1.4.13+dfsg.1.orig-tinymce.tar.xz
f2c106af7479b7cf53728b7aa8f0fb63 2976244 web optional
roundcube_1.4.13+dfsg.1.orig.tar.xz
78581f687ec2c8521958d62af1e0f091 91040 web optional
roundcube_1.4.13+dfsg.1-1~deb11u1.debian.tar.xz
5cc509f38defa71e9017413d906c6418 10585 web optional
roundcube_1.4.13+dfsg.1-1~deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmHWuOQACgkQ05pJnDwh
pVJDUg//SJm4KXHm1NW9vyT6cXIfg962QSpPy4w6KJsbZQBM/lzwAdlNIvh2vC4Z
dfzyqQ82tWco1+kI47HkHAypp1Mr/Txpax1vacKWSRMPSfnijwoRDBFzPiKROBJH
djovaubXmXIKBJm4XohyxFRI15re6SuPBT52BGoLwFUG/1zphEFo9dUv+H1pCmEJ
ZTMQ/QsGwaGKw4tMAz4RySUMF9+nhg5Yc0z8W3sIb2xy2qrbcETt5RoXxcLpFWTA
DCRlGN2/9SFUZNLGUj2MkEFQ1xybR9HgfLrwlNLjtAmTJqBLjUyWKMGxLFOcqqdj
941VI/d5DiIJA8eYFJS4xC+BaVJudRCLf8f17MKCDNmv5MscLq0HzviUqU9RYo/f
ThlefKgFjSEA8mhCEPxHU4lFabNN89hkCVD+tukfRGBzsQualL7zDksBpPJHybmK
QZ5dckl/+esk9Dgh43p4gVQ0FDlxk+6zBtLxIyz+nDo7+P3YX5SUNb1dAgTYNKLQ
QBSiG8ybTq5LvGLhqJo0ENUqEjahBlBKa7DmbmxV2+yCarNQlY8AavzrUy9uZiRz
0ozvvemPSzHlDLz5AknoXt4J9ePxvRT+cfdLEyMBGCLKb2f2Xjtk0ulpsJWXQ3hN
pqnrZ3ndRS2oRGi5oC8/uQTEIylbYfzAdJ1ZfizvzGn4/6hd/jY=
=24J0
-----END PGP SIGNATURE-----
--- End Message ---
