Your message dated Sat, 28 Oct 2023 20:33:25 +0000
with message-id <[email protected]>
and subject line Bug#1054079: fixed in roundcube 1.6.4+dfsg-1~deb12u1
has caused the Debian Bug report #1054079,
regarding roundcube: CVE-2023-5631: cross-site scripting (XSS) vulnerability in
handling of SVG in HTML messages
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1054079: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: roundcube
Version: 1.6.3+dfsg-2
Severity: important
Tags: security upstream
Control: found -1 1.3.17+dfsg.1-1~deb10u3
Control: found -1 1.4.14+dfsg.1-1~deb11u1
Control: found -1 1.6.3+dfsg-1~deb12u1
Control: forwarded -1 https://github.com/roundcube/roundcubemail/issues/9168
In a recent post roundcube webmail upstream has announced the
following security fix:
* Fix cross-site scripting (XSS) vulnerability in handling of SVG in
HTML messages.
AFAICT no CVE ID has been assigned or requested yet, so I'll file a
request to that effect. Upstream fixes for stable and LTS branches:
1.6.x
https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d
1.4.x
https://github.com/roundcube/roundcubemail/commit/7b2df52ede57bab9e87e9c3bc00601eeca591a5e
https://github.com/roundcube/roundcubemail/commit/dc7b6850c68870570b438d79c0949a5031522127
1.3.x is no longer supported upstream but AFAICT affected nonetheless.
--
Guilhem.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: roundcube
Source-Version: 1.6.4+dfsg-1~deb12u1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 19 Oct 2023 00:20:52 +0200
Source: roundcube
Architecture: source
Version: 1.6.4+dfsg-1~deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Roundcube Maintainers
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1054079
Changes:
roundcube (1.6.4+dfsg-1~deb12u1) bookworm-security; urgency=high
.
* New upstream security and bugfix release:
+ Fix CVE-2023-5631: Cross-site scripting (XSS) vulnerability in handling
of SVG in HTML messages. (Closes: #1054079)
+ Managesieve plugin: Fix javascript error when relational or spamtest
extension is not enabled.
+ Fix PHP8 warnings.
* Replace upstream release “version” 1.6-git with the actual tagged version.
* Add DEP-8 test to check RCMAIL_VERSION against d/changelog.
* Salsa CI: Disable lintian and reprotest jobs.
* Refresh patches.
Checksums-Sha1:
305df9757a89e3e7a2b10e51418a78edbcb0fe85 3833
roundcube_1.6.4+dfsg-1~deb12u1.dsc
49a41f382aaf74673bd5dc649d3cbe8d67ace5ca 220736
roundcube_1.6.4+dfsg.orig-tinymce-langs.tar.xz
32758ee3f2b186460c2e8f1cd87aa8ee22c6bc44 1858152
roundcube_1.6.4+dfsg.orig-tinymce.tar.xz
6b100df31c0cb2d0e296386c871a59bde179846b 2784448
roundcube_1.6.4+dfsg.orig.tar.xz
e1acd2861d40e9758fcd9c6759cefb28b5704168 105428
roundcube_1.6.4+dfsg-1~deb12u1.debian.tar.xz
c69103d07eb570f2933e240a07bec73c25f71ee9 13981
roundcube_1.6.4+dfsg-1~deb12u1_amd64.buildinfo
Checksums-Sha256:
3915499bbdfa1cb11080b907a5ae8280404f17c5c0ce68711c0e7c7178f7a088 3833
roundcube_1.6.4+dfsg-1~deb12u1.dsc
3d7bf2bba2010c171319a76a266b671e01d5c7bff3e200fe9d966bf915932dbe 220736
roundcube_1.6.4+dfsg.orig-tinymce-langs.tar.xz
d347dcebc705fd65214c08cdb02367e39bef9e3eba41c0affe84bc42ccec8aa9 1858152
roundcube_1.6.4+dfsg.orig-tinymce.tar.xz
ea4e8fb414edd0961aa69d4ffba03d4981a4fad62580d88989f71489d11f3a1e 2784448
roundcube_1.6.4+dfsg.orig.tar.xz
ea53ad2d05f5fda6e7eb92d166c9500824fe4fce2879a244b9b38e21f0f4c99b 105428
roundcube_1.6.4+dfsg-1~deb12u1.debian.tar.xz
0a99971963abd91d2d8132c2fd72533da59a166359f971a9ef4ba9a9266d36ee 13981
roundcube_1.6.4+dfsg-1~deb12u1_amd64.buildinfo
Files:
4b06ae012ed25f04921e0fb757ab939a 3833 web optional
roundcube_1.6.4+dfsg-1~deb12u1.dsc
b8e238bb13d3f2c9e3052bf77ab32dde 220736 web optional
roundcube_1.6.4+dfsg.orig-tinymce-langs.tar.xz
e5a66bf48031beb980234a0d27d77fdf 1858152 web optional
roundcube_1.6.4+dfsg.orig-tinymce.tar.xz
36dc8f64d4e01669457ca1ac400ffaa3 2784448 web optional
roundcube_1.6.4+dfsg.orig.tar.xz
f807f7f43a38df78f8b17653068a21ef 105428 web optional
roundcube_1.6.4+dfsg-1~deb12u1.debian.tar.xz
21039e1761310777e4fab7756ebbe7e3 13981 web optional
roundcube_1.6.4+dfsg-1~deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmUwYVYACgkQ05pJnDwh
pVLomA//Tcz+oqc59r8QW136f9e/AXD403k1UrMGM95oECg0sqrDCJFmfzbMdKzp
+L0F3X1zrJJ5osCAsMsq+bkkLkF+rm1D7splMGIBg42jhlMYH/sNHx/SvzGbf8Hy
ylrkJ2NWu2UnjR0Plwor6iMzrhhgAmHnz/LLcKtVLGotn+GunKIrGIu8vvH5mjey
mD000NW16PfTApsDZGZqpcap5r08rVP92AQupl2/iiC4P3Dr0TyaJGbDGMrqj5b7
VYHBrh8fQ5XAwbqUAMQUzUi4RhyRMyx4ZtS3u8E4YYjrDh2VN/1vWV842/pnzaEf
CV9jWDWGaB2C4IiUWht3VE/PoIZ4Mh8UObaMNvbGm4N2HTHxsHeFVw329dn7gilF
Mga9E9quJr3tuKC1lWm4BXtkvHqVry+wTs0ERntoizGiqyTijyhGJLf7Tgjeq6TN
HV6pAqHyJDQGSQ7Qc+J7aUpzQgEB0SLD+F1HUE/L55w3xOHQQfCwsegq3nWYfSr0
Dody4tqRDNGJrnC46FM+eaMNzig5TAZFSb+WLm6HlCS+NmBWAMF5z9YEhAtmdlb/
2c1yK+VwaDETSpOdd6UbGPZbil2yewa7o8A82HMLiyt6AyKAmOXxU5exeFJLpfO0
C1NGIMRXuBXbAybN1Ps9OH3vDtEwqbZKKbKVJyQP3oG8oXFzfCE=
=JPSc
-----END PGP SIGNATURE-----
--- End Message ---
