Control: tags -1 + confirmed On Tue, 2020-07-07 at 16:00 +0200, Guilhem Moulin wrote: > In a recent post roundcube webmail upstream has announced the > following security fix: > > CVE-2020-15562: Prevent cross-site scripting (XSS) via HTML > messages with malicious svg/namespace. > > This is tracker as #964355. The security team gave the green light > for an upload of 1.3.14+dfsg.1-1~deb10u1 to buster-security, but > suggested to target old-p-u for stretch. stretch currently has > 1.2.3+dfsg.1-4+deb9u3 > wwhile stretch-security and stretch-pu have 1.2.3+dfsg.1- > 4+deb9u5. Both debdiffs attached.
It looks like you actually attached the latter debdiff twice. But that's the one we want, so that's fine. :-) Please go ahead. > unblock roundcube/1.2.3+dfsg.1-4+deb9u6 Did reportbug add that for a p-u request? Regards, Adam