Bug#857473: marked as done (roundcube: CVE-2017-6820: XSS issue in handling of a style tag inside of an svg element)

Tue, 14 Mar 2017 00:06:47 -0700 

Your message dated Tue, 14 Mar 2017 07:03:58 +0000
with message-id <[email protected]>
and subject line Bug#857473: fixed in roundcube 1.2.3+dfsg.1-2
has caused the Debian Bug report #857473,
regarding roundcube: CVE-2017-6820: XSS issue in handling of a style tag inside 
of an svg element
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
857473: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857473
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: roundcube
Version: 1.2.3+dfsg.1-1
Severity: important
Tags: security patch upstream fixed-upstream

Hi

1.2.4 roundcube release fixed a XSS issue in handling of a style tag
inside of an svg element.

AFAICT, this issue has not yet a CVE assigned, thus I have requested
one. 

Fixed by:

https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305
https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4

Upstream changelog:
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-124
https://github.com/roundcube/roundcubemail/releases/tag/1.1.8

Can you make sure the isolated fix (unless 1.2.4 get acked by the
release team), makes it into stretch and ask for an unblock for it?

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: roundcube
Source-Version: 1.2.3+dfsg.1-2

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Mar 2017 03:41:48 +0100
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql 
roundcube-sqlite3 roundcube-plugins
Architecture: source all
Version: 1.2.3+dfsg.1-2
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers 
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Description:
 roundcube  - skinnable AJAX based webmail solution for IMAP servers - metapack
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - 
plugins
 roundcube-sqlite3 - metapackage providing SQLite dependencies for RoundCube
Closes: 857473
Changes:
 roundcube (1.2.3+dfsg.1-2) unstable; urgency=high
 .
   * Backport fix for CVE-2015-5381: rcube_utils.php in Roundcube before 1.1.8
     and 1.2.x before 1.2.4 is susceptible to a cross-site scripting
     vulnerability via a crafted Cascading Style Sheets (CSS) token sequence
     within an SVG element. (Closes: #857473).
Checksums-Sha1:
 1bee871f0b60162f955d93da88c697451a1b6ba4 2470 roundcube_1.2.3+dfsg.1-2.dsc
 65d0ccfb7e3fb165b2d0a9ea04862d93b74f798b 4441812 
roundcube_1.2.3+dfsg.1-2.debian.tar.xz
 0eb9bac287718b3994ffa4534b0bcd01ee0d23ca 2111730 
roundcube-core_1.2.3+dfsg.1-2_all.deb
 15d2e7bd458d500a4552d76395e9fc6690463dd1 70588 
roundcube-mysql_1.2.3+dfsg.1-2_all.deb
 70f30fadbabcbadec33d6deef0d408c16986b857 70564 
roundcube-pgsql_1.2.3+dfsg.1-2_all.deb
 17e337ce79a0a8a53f5e27c276d6fbf90ecb9ec9 661466 
roundcube-plugins_1.2.3+dfsg.1-2_all.deb
 f1e7ff6bf917e4d5a98bbf85f9e2dc70297959b6 70542 
roundcube-sqlite3_1.2.3+dfsg.1-2_all.deb
 48730e41c121745036041f725c6d3c0b8274cead 1378 roundcube_1.2.3+dfsg.1-2_all.deb
 43545055514470985a0f47db715bdd43c22f71db 8972 
roundcube_1.2.3+dfsg.1-2_amd64.buildinfo
Checksums-Sha256:
 47f667061f900e6c49be7bd1e5123eeacc208af58ae72f3ac6e0d938a32bbb5c 2470 
roundcube_1.2.3+dfsg.1-2.dsc
 fad1264735ee8c19aef3a702083d93d6d93df0edc257f0520a59f21d9b4aa574 4441812 
roundcube_1.2.3+dfsg.1-2.debian.tar.xz
 6c5df9d2dcdf57e9d2e46e1f7818d38ca90f7dc06dea537a3731f9a13499ec12 2111730 
roundcube-core_1.2.3+dfsg.1-2_all.deb
 80dac64ae1738512d870d11a4c512c93186a0df60f9f139840eb4b2cb6467432 70588 
roundcube-mysql_1.2.3+dfsg.1-2_all.deb
 ccb3ef3e6195fad418d5f21d19bcde1d1254ada188f2455013d4876b3d6a247e 70564 
roundcube-pgsql_1.2.3+dfsg.1-2_all.deb
 9c918f570cc7d31a0c46fe17b27222732df6d7b969d35f493008ee0cfa311670 661466 
roundcube-plugins_1.2.3+dfsg.1-2_all.deb
 0632904692fe756aa2a110b7a5d01930d28a0f28fdcd5c4cd05783c57f7ec3dd 70542 
roundcube-sqlite3_1.2.3+dfsg.1-2_all.deb
 7292b920c52304782696d3f57e9d45850e9a35bea70dd5bb2b922802a3dc7d41 1378 
roundcube_1.2.3+dfsg.1-2_all.deb
 7156a6da1ec29a2ba4e3f458f456a1896ca3edc38053441102e66a3a2f56fc8b 8972 
roundcube_1.2.3+dfsg.1-2_amd64.buildinfo
Files:
 ac57e5da4bb39084d685664a67c51cd8 2470 web extra roundcube_1.2.3+dfsg.1-2.dsc
 7a7e5eea0e5860d6da607ac702bbb163 4441812 web extra 
roundcube_1.2.3+dfsg.1-2.debian.tar.xz
 d1b1d45f97346a15dccb6895f544faf8 2111730 web extra 
roundcube-core_1.2.3+dfsg.1-2_all.deb
 f101523643d18621daa1ef61b380231d 70588 web extra 
roundcube-mysql_1.2.3+dfsg.1-2_all.deb
 79b14008b0f132168cc0de10a46637a6 70564 web extra 
roundcube-pgsql_1.2.3+dfsg.1-2_all.deb
 f78ea638046f1e549b6d319a6b04b143 661466 web extra 
roundcube-plugins_1.2.3+dfsg.1-2_all.deb
 33d5a41229cf15a500f97a02b072e5ff 70542 web extra 
roundcube-sqlite3_1.2.3+dfsg.1-2_all.deb
 b487531d32323ea049b35bbb4e0aeac7 1378 web extra 
roundcube_1.2.3+dfsg.1-2_all.deb
 fb6fa15574399d57ec557bc9eb017ca8 8972 web extra 
roundcube_1.2.3+dfsg.1-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAljHjwcQHGJlcm5hdEBs
dWZmeS5jeAAKCRCVpC/oNTUl+VZiD/0ey+IElDVGCwTtdfGNTrFNajwJIWpDTy9m
MLJXDPtc7EOu9nilahx9nzp5SS88AwkRkTO9myWNP5B0VLxNRpfZBoWCoDUPJuOC
gwXJEFyWoLK8R8aBErEezZmqm/GP/cMalvgEP5XXaklNZ0ZUdczYPVhiaa4i/Blx
1jZjaGNroJkx4NvfN0LMl9rmtRx1t2d5rkdRv4ONaE2fK+N8/VBUg+D1Tu7CmU0I
KIH3oro0jqP+yMTNTcMJXJHeKIDyRsNa/1wyV4RNSbNRvdR647v9zPV5cXPmbjWW
rxxgIlTc2wre+vgtzWZe3CvOEdavzAa9fsn6eN+3CGeD1dTIs7Q4puY9QsTge/gJ
KvpJV6iY+gs1v3jXs61YykSs95wzXpzXovQ3uknfoXU1o0JPW88md0AvYZC7KiQ7
+hCXpzTGNFvWuHaKP4zETivgseYzwszxhhuNsc+RjJOD+qV/3boUQlpeWsqe3cBP
QJ/LAHElZVeWSJUF69bYjNY+p+dyWFumP0k2unKbC2MAL5YqFNLT5v5sUL/q/BaR
Bg2eJwki3BRIqWBvRNVViSbizjUwn5jhIdf0bZz1zviNJm/e4DFaCSImL/fHletM
GvaT8hZY2z5B/uAUiUvmt92+LAqLKe5yxyODDyJpeYXd7K6ON00kY/YpIt5u3kez
6ipj3K4voQ==
=6l4q
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to