Bug#857473: marked as done (roundcube: CVE-2017-6820: XSS issue in handling of a style tag inside of an svg element)

Tue, 14 Mar 2017 05:39:36 -0700 

Your message dated Tue, 14 Mar 2017 12:36:56 +0000
with message-id <[email protected]>
and subject line Bug#857473: fixed in roundcube 1.2.3+dfsg.1-3
has caused the Debian Bug report #857473,
regarding roundcube: CVE-2017-6820: XSS issue in handling of a style tag inside 
of an svg element
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
857473: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857473
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: roundcube
Version: 1.2.3+dfsg.1-1
Severity: important
Tags: security patch upstream fixed-upstream

Hi

1.2.4 roundcube release fixed a XSS issue in handling of a style tag
inside of an svg element.

AFAICT, this issue has not yet a CVE assigned, thus I have requested
one. 

Fixed by:

https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305
https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4

Upstream changelog:
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-124
https://github.com/roundcube/roundcubemail/releases/tag/1.1.8

Can you make sure the isolated fix (unless 1.2.4 get acked by the
release team), makes it into stretch and ask for an unblock for it?

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: roundcube
Source-Version: 1.2.3+dfsg.1-3

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Mar 2017 11:43:18 +0100
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql 
roundcube-sqlite3 roundcube-plugins
Architecture: source all
Version: 1.2.3+dfsg.1-3
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers 
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Description:
 roundcube  - skinnable AJAX based webmail solution for IMAP servers - metapack
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - 
plugins
 roundcube-sqlite3 - metapackage providing SQLite dependencies for RoundCube
Closes: 857473
Changes:
 roundcube (1.2.3+dfsg.1-3) unstable; urgency=high
 .
   * Backport fix for CVE-2015-5381: rcube_utils.php in Roundcube before 1.1.8
     and 1.2.x before 1.2.4 is susceptible to a cross-site scripting
     vulnerability via a crafted Cascading Style Sheets (CSS) token sequence
     within an SVG element. (Closes: #857473).
     In 1.2.3+dfsg.1-2 the patch wasn't added to debian/patches/series.
Checksums-Sha1:
 6a17fb5886012e6c2479304a285b6abc77db2715 2470 roundcube_1.2.3+dfsg.1-3.dsc
 7bc35f29df51cf94403cec58d3ff42bea9756361 4441880 
roundcube_1.2.3+dfsg.1-3.debian.tar.xz
 67d4a79d4ce15bdceefcd4ae0ffb7c554fcbf1a9 2111782 
roundcube-core_1.2.3+dfsg.1-3_all.deb
 e8be68927db4660112d32897d34353a725704571 70638 
roundcube-mysql_1.2.3+dfsg.1-3_all.deb
 5cc70c57e42867ba3a786523af9fba478fbfa90f 70608 
roundcube-pgsql_1.2.3+dfsg.1-3_all.deb
 27b6f89d20aee3cc715803fa15deca3422dc5f98 661502 
roundcube-plugins_1.2.3+dfsg.1-3_all.deb
 db47556bb910a673dc03096b66ff34c26d181132 70588 
roundcube-sqlite3_1.2.3+dfsg.1-3_all.deb
 0f1ace58250a5c3f011b5f82d92c1574ce2dbeac 1374 roundcube_1.2.3+dfsg.1-3_all.deb
 38a27ce90b0e89e9dd045caeb48332650acf6dbd 8972 
roundcube_1.2.3+dfsg.1-3_amd64.buildinfo
Checksums-Sha256:
 8c69da8595b8b2cc27bd3d7f5e87c5f8ec665949cb62f00949c57f29c7af5baa 2470 
roundcube_1.2.3+dfsg.1-3.dsc
 1e2c721a117c9f46ee04d71d9121c5020ea94f466f820e2ce3dd95f0f011dda1 4441880 
roundcube_1.2.3+dfsg.1-3.debian.tar.xz
 46a0aa15e8f3c9339c333431d94a0ebe29e73afde0ba424fff10a6c191b3f070 2111782 
roundcube-core_1.2.3+dfsg.1-3_all.deb
 fd3c2e67eaa6cf9e2a56dbdfd87f3aaf469cc1bb578b3d2bba2f32ee208f5abd 70638 
roundcube-mysql_1.2.3+dfsg.1-3_all.deb
 bf1d55aa4d465c0eceb03d0e3166fa83d1ef762deee1b84282eda27d3a603ec1 70608 
roundcube-pgsql_1.2.3+dfsg.1-3_all.deb
 dba5e7e4dce8df8233e59885e2008e361388c224a5d9fa6ed7a8ef0bddac5bfa 661502 
roundcube-plugins_1.2.3+dfsg.1-3_all.deb
 64eb9166752a5c41278c29f41c5d52e680fc340de7990ef3b8d898b8c0f354ff 70588 
roundcube-sqlite3_1.2.3+dfsg.1-3_all.deb
 93d7047c6e215a2d5bd3b1694cd00be50a8f1bb2e2ee8a75158afd51e9b28ae2 1374 
roundcube_1.2.3+dfsg.1-3_all.deb
 d16b5c4f18a77b4063537b97b94a20a3dbf1533d03412130425ab82446a83fa0 8972 
roundcube_1.2.3+dfsg.1-3_amd64.buildinfo
Files:
 b5ce77900aee1fec5dba88d1f21d63d8 2470 web extra roundcube_1.2.3+dfsg.1-3.dsc
 070adaefcf4754853bf2ecb961f08090 4441880 web extra 
roundcube_1.2.3+dfsg.1-3.debian.tar.xz
 0cfaff5f4bcbfadfa4512203e19d40a4 2111782 web extra 
roundcube-core_1.2.3+dfsg.1-3_all.deb
 ed5671fc288459a176d86f82e6b209b1 70638 web extra 
roundcube-mysql_1.2.3+dfsg.1-3_all.deb
 f605dca57854da39d738a0ec9206c6d3 70608 web extra 
roundcube-pgsql_1.2.3+dfsg.1-3_all.deb
 cba3988ea6f5b166e4bfff302c0dcc39 661502 web extra 
roundcube-plugins_1.2.3+dfsg.1-3_all.deb
 7ba6b6e4e9de029382c05be5cd4ab8df 70588 web extra 
roundcube-sqlite3_1.2.3+dfsg.1-3_all.deb
 6bc265b9d59d4c987a7349bca9029a02 1374 web extra 
roundcube_1.2.3+dfsg.1-3_all.deb
 ad1814ecba700ab00beb6416d4efeb08 8972 web extra 
roundcube_1.2.3+dfsg.1-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAljH3XgQHGJlcm5hdEBs
dWZmeS5jeAAKCRCVpC/oNTUl+d9dD/9u+6X/mgoiUOCH+IyKdFFe3xi35R5VGHsB
1wBFVxWWB6MJRxkiCRVCd8CRFeVM2WAlPW1dVpyX/RvVhlDttHnqEZwc7VGumkd7
zjdcOhZ4ciJaoSAqw7ZLgUQ4S+DhUMg881tQZ1ZYV6qYlyZ7pi1hxKubsPuCF9Cf
aH9ajGKecxMXimydJJdFZVMYg6WrYOzbCGm+VbpH7/hFA+7BqnbjENfGioy/Sy9/
OGzs4+FMZ+pMM/bbOiWOi6FcCQEWx4uXvzZApK3jKqAnA/hDy6Xg1rPhRYsjoe3D
hJTF5AmBmB1ydL1Uf6paPASw8YAmHSt/K1Tt1ev/oLGnjwMiPNL8aeM0qKv1dPrk
JaGmCBsFF1uO8vq7kw2HbRm28BoFDnnsGxUP7GtutJb+SqOXtMklv+eoe3fLkKmR
u8JK95O3j5Uju2FkuhyKC6xniMHhjnvcr2gseoDzUEoVFE7MM+BJ1dHt7/8cHmNu
9znCP7q8zW0tEf7wlEF6Icdomai5BGPyAjJdtjAmcIuFgV75/z0g4La5i/+orD6G
8OK5Sa1051xBQqSuTy7jllu3kKvA9Ea79kGfLSSScxwdZlrHlAcRiuWGOb5v4lQJ
9lv5vLUeqxy/y+pehXmePbMos72U0+mBzt2rEDVHJK3iNlT4F2/euVoFEupnR8rS
IARNVX7j/w==
=IXy3
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to