Bug#1003027: roundcube: XSS vulnerability via HTML messages with malicious CSS content
Control: severity -1 serious Hi Guilhem, On Mon, Jan 03, 2022 at 09:57:29AM +0100, Guilhem Moulin wrote: > Control: notfixed -1 1.5.1+dfsg-1 > Control: found -1 1.5.1+dfsg-1 > > Hi Salvatore! > > On Mon, 03 Jan 2022 at 09:47:28 +0100, Salvatore Bonaccorso wrote: > > On Sun, Jan 02, 2022 at 10:50:25PM +0100, Guilhem Moulin wrote: > >> Package: roundcube > >> Severity: important > >> Tags: security > >> Control: found -1 1.3.17+dfsg.1-1~deb10u1 > >> Control: found -1 1.4.12+dfsg.1-1~deb11u1 > >> Control: fixed -1 1.5.1+dfsg-1 > > > > > > > > Is this correct with the 1.5.1+dfsg-1 version? The release notes say > > that it is fixed in 1.5.2 upstream. Asking for clarifying the > > tracking. > > Oops sorry wrong copy-paste, well spotted! I'll propose uploads for > buster- and bullseye-security later today; meanwhile perhaps you or > another Security Team member would like to assign a CVE number for this? > Then I'll have the proper d/changelog right away :-) > > I'm planning to upload 1.5.2+dfsg-1 to sid later today too, but note > that it won't enter testing because 1.5 is not fully compatible with PHP > 8.1. Raising the severity for this bug to RC, hope you are fine with it. Rationale: As the issues are now fixed in buster and bullseye via a DSA, this makes it a regression for bookworm (though I understand yet roundcube cannot be uploaded for unstable/testing as for the PHP 8.1 compaitibility). Regards, Salvatore
Bug#1003027: roundcube: XSS vulnerability via HTML messages with malicious CSS content
On 06/01 06:10, Salvatore Bonaccorso wrote: > CVE-2021-46144 has been assigned for the roundcube issue. Thanks for taking care of this Salvatore. I'll review the debdiffs once Guilhem sends them, and will take care of the DSA afterwards. Cheers, -- Seb
Bug#1003027: roundcube: XSS vulnerability via HTML messages with malicious CSS content
Control: retitle -1 roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content Hi Guilhem, On Wed, Jan 05, 2022 at 09:19:49PM +0100, Guilhem Moulin wrote: > Hi carnil, > > On Wed, 05 Jan 2022 at 20:49:35 +0100, Salvatore Bonaccorso wrote: > > FTR, have not yet heard back on the assignment. We can wait a bit > > longer, but just wanted to say we do not necessarily need to block on > > the missing assignment if we want to release the DSA earlier. The > > issue is not that urgent though I think that we could not wait a bit > > longer. > > Thanks for the follow-up! I have the debdiff ready (modulo d/changelog) > but I agree with your assessment that the severity is not serious > enough to warrant rushing the DSA through. Let's wait a bit longer then :-) CVE-2021-46144 has been assigned for the roundcube issue. Regards, Salvatore
Bug#1003027: roundcube: XSS vulnerability via HTML messages with malicious CSS content
Hi carnil, On Wed, 05 Jan 2022 at 20:49:35 +0100, Salvatore Bonaccorso wrote: > FTR, have not yet heard back on the assignment. We can wait a bit > longer, but just wanted to say we do not necessarily need to block on > the missing assignment if we want to release the DSA earlier. The > issue is not that urgent though I think that we could not wait a bit > longer. Thanks for the follow-up! I have the debdiff ready (modulo d/changelog) but I agree with your assessment that the severity is not serious enough to warrant rushing the DSA through. Let's wait a bit longer then :-) cheers, -- Guilhem. signature.asc Description: PGP signature
Bug#1003027: roundcube: XSS vulnerability via HTML messages with malicious CSS content
Hi Guilhem, On Mon, Jan 03, 2022 at 10:22:49AM +0100, Salvatore Bonaccorso wrote: > Hi Guilhem, > > On Mon, Jan 03, 2022 at 09:57:29AM +0100, Guilhem Moulin wrote: > > Control: notfixed -1 1.5.1+dfsg-1 > > Control: found -1 1.5.1+dfsg-1 > > > > Hi Salvatore! > > > > On Mon, 03 Jan 2022 at 09:47:28 +0100, Salvatore Bonaccorso wrote: > > > On Sun, Jan 02, 2022 at 10:50:25PM +0100, Guilhem Moulin wrote: > > >> Package: roundcube > > >> Severity: important > > >> Tags: security > > >> Control: found -1 1.3.17+dfsg.1-1~deb10u1 > > >> Control: found -1 1.4.12+dfsg.1-1~deb11u1 > > >> Control: fixed -1 1.5.1+dfsg-1 > > > > > > > > > > > > Is this correct with the 1.5.1+dfsg-1 version? The release notes say > > > that it is fixed in 1.5.2 upstream. Asking for clarifying the > > > tracking. > > > > Oops sorry wrong copy-paste, well spotted! I'll propose uploads for > > buster- and bullseye-security later today; meanwhile perhaps you or > > another Security Team member would like to assign a CVE number for this? > > Then I'll have the proper d/changelog right away :-) > > > > I'm planning to upload 1.5.2+dfsg-1 to sid later today too, but note > > that it won't enter testing because 1.5 is not fully compatible with PHP > > 8.1. > > Thank you. I have requested a CVE, will update this bug once/if one is > assigned. FTR, have not yet heard back on the assignment. We can wait a bit longer, but just wanted to say we do not necessarily need to block on the missing assignment if we want to release the DSA earlier. The issue is not that urgent though I think that we could not wait a bit longer. Regards, Salvatore
Bug#1003027: roundcube: XSS vulnerability via HTML messages with malicious CSS content
Hi Guilhem, On Mon, Jan 03, 2022 at 09:57:29AM +0100, Guilhem Moulin wrote: > Control: notfixed -1 1.5.1+dfsg-1 > Control: found -1 1.5.1+dfsg-1 > > Hi Salvatore! > > On Mon, 03 Jan 2022 at 09:47:28 +0100, Salvatore Bonaccorso wrote: > > On Sun, Jan 02, 2022 at 10:50:25PM +0100, Guilhem Moulin wrote: > >> Package: roundcube > >> Severity: important > >> Tags: security > >> Control: found -1 1.3.17+dfsg.1-1~deb10u1 > >> Control: found -1 1.4.12+dfsg.1-1~deb11u1 > >> Control: fixed -1 1.5.1+dfsg-1 > > > > > > > > Is this correct with the 1.5.1+dfsg-1 version? The release notes say > > that it is fixed in 1.5.2 upstream. Asking for clarifying the > > tracking. > > Oops sorry wrong copy-paste, well spotted! I'll propose uploads for > buster- and bullseye-security later today; meanwhile perhaps you or > another Security Team member would like to assign a CVE number for this? > Then I'll have the proper d/changelog right away :-) > > I'm planning to upload 1.5.2+dfsg-1 to sid later today too, but note > that it won't enter testing because 1.5 is not fully compatible with PHP > 8.1. Thank you. I have requested a CVE, will update this bug once/if one is assigned. Regards, Salvatore
Bug#1003027: roundcube: XSS vulnerability via HTML messages with malicious CSS content
Control: notfixed -1 1.5.1+dfsg-1 Control: found -1 1.5.1+dfsg-1 Hi Salvatore! On Mon, 03 Jan 2022 at 09:47:28 +0100, Salvatore Bonaccorso wrote: > On Sun, Jan 02, 2022 at 10:50:25PM +0100, Guilhem Moulin wrote: >> Package: roundcube >> Severity: important >> Tags: security >> Control: found -1 1.3.17+dfsg.1-1~deb10u1 >> Control: found -1 1.4.12+dfsg.1-1~deb11u1 >> Control: fixed -1 1.5.1+dfsg-1 > > > > Is this correct with the 1.5.1+dfsg-1 version? The release notes say > that it is fixed in 1.5.2 upstream. Asking for clarifying the > tracking. Oops sorry wrong copy-paste, well spotted! I'll propose uploads for buster- and bullseye-security later today; meanwhile perhaps you or another Security Team member would like to assign a CVE number for this? Then I'll have the proper d/changelog right away :-) I'm planning to upload 1.5.2+dfsg-1 to sid later today too, but note that it won't enter testing because 1.5 is not fully compatible with PHP 8.1. Cheers -- Guilhem. signature.asc Description: PGP signature
Bug#1003027: roundcube: XSS vulnerability via HTML messages with malicious CSS content
Hi Guilhem, On Sun, Jan 02, 2022 at 10:50:25PM +0100, Guilhem Moulin wrote: > Package: roundcube > Severity: important > Tags: security > Control: found -1 1.3.17+dfsg.1-1~deb10u1 > Control: found -1 1.4.12+dfsg.1-1~deb11u1 > Control: fixed -1 1.5.1+dfsg-1 Is this correct with the 1.5.1+dfsg-1 version? The release notes say that it is fixed in 1.5.2 upstream. Asking for clarifying the tracking. Regards, Salvatore
Bug#1003027: roundcube: XSS vulnerability via HTML messages with malicious CSS content
Package: roundcube Severity: important Tags: security Control: found -1 1.3.17+dfsg.1-1~deb10u1 Control: found -1 1.4.12+dfsg.1-1~deb11u1 Control: fixed -1 1.5.1+dfsg-1 In a recent post roundcube webmail upstream has announced a fix for a cross-site scripting (XSS) vulnerability via HTML messages with malicious CSS content. Upstream fix for the 1.4 LTS branch: https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8 There was no new 1.3 LTS release but AFAICT 1.3 is affected as well and the same fix applies. -- Guilhem. [0] https://roundcube.net/news/2021/12/30/security-update-1.4.13-released https://roundcube.net/news/2021/12/30/update-1.5.2-released signature.asc Description: PGP signature