Hello Guilhem, On 12/01/2022 14:15, Guilhem Moulin wrote:
In a recent post roundcube webmail upstream has announced the following security fix for #1003027.CVE-2021-46144: Cross-site scripting (XSS) vulnerability via HTML messages with malicious CSS content. (Upstream only released fixes for 1.4 and 1.5 LTS branches, but 1.2 and 1.3 are affected too and the same fix applies cleanly. buster- and bullseye-security are no longer affected.) Debdiff against 1.2.3+dfsg.1-4+deb9u9 tested and attached. I can upload if you'd like but would appreciate if you could take care of the DLA :-)
Thanks for the update. Go ahead and upload to stretch-security, and I'll publish the DLA accordingly :)
(out of curiosity, was there an issue with keeping the "$this->config['charset']" bit from the original patch?)
Cheers! Sylvain Beucler Debian LTS Team
