Your message dated Sat, 28 Oct 2023 20:34:21 +0000
with message-id <[email protected]>
and subject line Bug#1054079: fixed in roundcube 1.4.15+dfsg.1-1~deb11u1
has caused the Debian Bug report #1054079,
regarding roundcube: CVE-2023-5631: cross-site scripting (XSS) vulnerability in
handling of SVG in HTML messages
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1054079: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: roundcube
Version: 1.6.3+dfsg-2
Severity: important
Tags: security upstream
Control: found -1 1.3.17+dfsg.1-1~deb10u3
Control: found -1 1.4.14+dfsg.1-1~deb11u1
Control: found -1 1.6.3+dfsg-1~deb12u1
Control: forwarded -1 https://github.com/roundcube/roundcubemail/issues/9168
In a recent post roundcube webmail upstream has announced the
following security fix:
* Fix cross-site scripting (XSS) vulnerability in handling of SVG in
HTML messages.
AFAICT no CVE ID has been assigned or requested yet, so I'll file a
request to that effect. Upstream fixes for stable and LTS branches:
1.6.x
https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d
1.4.x
https://github.com/roundcube/roundcubemail/commit/7b2df52ede57bab9e87e9c3bc00601eeca591a5e
https://github.com/roundcube/roundcubemail/commit/dc7b6850c68870570b438d79c0949a5031522127
1.3.x is no longer supported upstream but AFAICT affected nonetheless.
--
Guilhem.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: roundcube
Source-Version: 1.4.15+dfsg.1-1~deb11u1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 18 Oct 2023 23:40:57 +0200
Source: roundcube
Architecture: source
Version: 1.4.15+dfsg.1-1~deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Roundcube Maintainers
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1054079
Changes:
roundcube (1.4.15+dfsg.1-1~deb11u1) bullseye-security; urgency=high
.
* New security/bugfix upstream release:
+ Fix CVE-2023-5631: Cross-site scripting (XSS) vulnerability in handling
of SVG in HTML messages. (Closes: #1054079)
* Salsa CI: Disable lintian and reprotest jobs.
* Refresh patches.
Checksums-Sha1:
7a00843c75c8bbbee2625d3fa571bfcf2accfa91 3273
roundcube_1.4.15+dfsg.1-1~deb11u1.dsc
fb0b5deacca5863d37a0b10c3771f27c91d4545e 128840
roundcube_1.4.15+dfsg.1.orig-tinymce-langs.tar.xz
a53c61b8ec041aa5a15be0da438a990a34acc072 889052
roundcube_1.4.15+dfsg.1.orig-tinymce.tar.xz
a3591df13cae970b04c53651221f316ba521c473 2976560
roundcube_1.4.15+dfsg.1.orig.tar.xz
3f9db1cb9d5a73d3f27c84c4bef04c988e297fe4 95980
roundcube_1.4.15+dfsg.1-1~deb11u1.debian.tar.xz
1e4ded25fb55afea0120b6ccb4088da34f10513b 10829
roundcube_1.4.15+dfsg.1-1~deb11u1_amd64.buildinfo
Checksums-Sha256:
169da28484e7a82978623b5311751389c07c5eebdadd1c223dbf917bf9f5add6 3273
roundcube_1.4.15+dfsg.1-1~deb11u1.dsc
d1806e62b75b5e2c8bbbce987abd3eae874f205dd560ad8f6f02a2171c8cf23a 128840
roundcube_1.4.15+dfsg.1.orig-tinymce-langs.tar.xz
b61678512254fc2af25a42ac689ac6df69bdf6d15d7aea6e9001c8868653ee74 889052
roundcube_1.4.15+dfsg.1.orig-tinymce.tar.xz
f56e664cddb698cf0eeefb1a34dd495ce0e6d29643b2e2ec0ae5cb9c6342882f 2976560
roundcube_1.4.15+dfsg.1.orig.tar.xz
d1d52e5fe6148f6a111a1295b563f885cf0f4fdba76b18a61386b3fd4c6c049f 95980
roundcube_1.4.15+dfsg.1-1~deb11u1.debian.tar.xz
44471f38e9fe60562eda90c035142d4b51c96612e3ae1c34fb74130b97ea36fc 10829
roundcube_1.4.15+dfsg.1-1~deb11u1_amd64.buildinfo
Files:
ab265a425abdd16b06d8250177823da2 3273 web optional
roundcube_1.4.15+dfsg.1-1~deb11u1.dsc
450c693c68d2642b15356d06255a0d4c 128840 web optional
roundcube_1.4.15+dfsg.1.orig-tinymce-langs.tar.xz
5b440fff53353d7c0ad73292c1cfe6e2 889052 web optional
roundcube_1.4.15+dfsg.1.orig-tinymce.tar.xz
e98d3d252094ea231c3b02a3ff39471a 2976560 web optional
roundcube_1.4.15+dfsg.1.orig.tar.xz
6b8e6b8616571d0365ba50f411b35999 95980 web optional
roundcube_1.4.15+dfsg.1-1~deb11u1.debian.tar.xz
bef11cc961770f68a6d15940dd7db83c 10829 web optional
roundcube_1.4.15+dfsg.1-1~deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmUwXLYACgkQ05pJnDwh
pVJnLA//Uez2y79uF6j0mDjQsiiHsWpWTzr3vdUECA95SGkwBz92kynn5p8eKVM8
Qqvn3ecDH4xJ4Rn6o1fEBQ1IX7fCx7lkIChCyTqn1TLK7v8xfhBxvVfXSvx+JDb5
SIEzmF2KMZdoWHM7PcJd7Bz8Ob6sL6jhR/rJOEBMBSiqC1FpcEfatjrsWvcE4T47
ThkUCLnfd5MxuF2UrqXPU6eo8SKzXt5dtBkMf8cV2FNGnTZcqumAsuE6y3l/qOQ7
ktKXvpxOyX9s5/VUb4z6cRED5g4Tg8lKl0tp2O+ghFV8oZobhXwr2EQmyQe+iEyA
ILXQfaZouPh246W7dWkmcZojbKxkBdJQ7KHF10QtQpYYDZ9wYbXqwNcnbOV1A1td
y7NRkNKzSklfE+IVdQ9rlKSBlK2cglH8WxZIP5xNoBSTnPzVk/ljca/3+4LHaIGy
n9OwC3F5ylxAb2ievDziJi9jwQvdIDlC22mzU4YUqDgJngQvBtnPmyEtUfB8x03U
nVL0Dt6XI/6tC3bk++DE27uQV/meh+pIS4+Vbl95F8zaET6xkLlbu1N+bUUVxRyU
adNNTGPbR6+vOFz0sBMrOVJxVar+MuMKyNeD1/xsZwoyCbLdsOnBQNCFInjBpTA7
wOwMCAtoLn1AmhD4TelQsp+8tUji51tyN+ykIE8HOZ+JLl+k70g=
=D4Ii
-----END PGP SIGNATURE-----
--- End Message ---
