Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8ce6124e by Salvatore Bonaccorso at 2018-11-24T07:44:35Z
Mark CVE -2018-19205 as ignored for stretch
The respective feature would rely on a properly working php-crypt-gpg
installation. Those might be custom on the system (as php-crypt-gpg is
not in stretch). But plugins/enigma/lib/enigma_driver_gnupg.php from
1.2.x has bigger issues anyway, since it's decrypt() function doesn't
verify signatures on encrypted message.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1058,6 +1058,7 @@ CVE-2018-19206 (steps/mail/func.inc in Roundcube before
1.3.8 has XSS via crafte
NOTE:
https://github.com/roundcube/roundcubemail/commit/adcac3b9de2728c34c4d2b107e54823b6a7f6a5b
(master)
CVE-2018-19205 (Roundcube before 1.3.7 mishandles GnuPG MDC
integrity-protection ...)
- roundcube 1.3.8+dfsg.1-1
+ [stretch] - roundcube <ignored> (Relies on properly working
php-crypt-gpg)
NOTE: https://roundcube.net/news/2018/07/27/update-1.3.7-released
NOTE: https://github.com/roundcube/roundcubemail/issues/6289
NOTE:
https://github.com/roundcube/roundcubemail/commit/94da947855329c5062ec2a7098eb86fb675aac37
(release-1.3)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ce6124efe67d37c0138eb04f72d4e258559348a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ce6124efe67d37c0138eb04f72d4e258559348a
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
