Re: Wheezy update of roundcube?

[Guilhem Moulin]

Hi Ola,

Sorry for the delay, not sure if you got an answer yet; either way I'm
not answering on behalf of the team here.

On Sat, 11 Nov 2017 at 20:14:38 +0100, Ola Lundqvist wrote:
> Would you like to take care of this yourself?
> 
> The proposed patch for later release will not apply cleanly to the version
> in wheezy so the porting work is larger than usual.
> […]
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.

Unfortunately I no longer have any machine running Wheezy so I don't
have an easy way to adapt the patch or test the package anymore :-/

Cheers,
-- 
Guilhem.


signature.asc
Description: PGP signature

Wheezy update of roundcube?

[Ola Lundqvist]

Dear maintainers,

The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of roundcube:
https://security-tracker.debian.org/tracker/CVE-2017-16651

Would you like to take care of this yourself?

The proposed patch for later release will not apply cleanly to the version
in wheezy so the porting work is larger than usual.

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of roundcube updates
for the LTS releases.

Thank you very much.

Ola Lundqvist,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

Wheezy update of roundcube?

[Chris Lamb]

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of roundcube:
https://security-tracker.debian.org/tracker/source-package/roundcube

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of roundcube updates
for the LTS releases.

Thank you very much.

Chris Lamb,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Re: Wheezy update of roundcube

[Ola Lundqvist]

Hi

If you are sure CVE-2016-4068 is mitigated then we should be able to
mark it as fixed.
But you need to be sure. :-)

// Ola

On Tue, Sep 6, 2016 at 6:13 PM, Raphael Hertzog  wrote:
> Hi Markus,
>
> On Wed, 20 Jul 2016, Markus Koschany wrote:
>> Feel free to work on everything you like. Fixing CVE-2014-9587 together
>> with CVE-2016-4069 isn't strictly required but you could probably reuse
>> some of your work if you try to tackle these issue. In any case the
>> whole CSRF complex requires much more work IMO and unless you are
>> already familiar with Roundcube and PHP it might not be the right
>> package to start with. It's up to you.
>
> It was indeed a non-trivial amount of work... but the attached patch
> fixes CVE-2016-4069 according to my tests (i.e. downloads requests
> without _token do fail).
>
> On thursday I will see if I can deal with CVE-2014-9587 as well.
>
> Then there's https://security-tracker.debian.org/tracker/CVE-2016-4068
> you left it open but it's mitigated since one cannot view SVG files.
> There is a patch available now
> (https://github.com/roundcube/roundcubemail/commit/a1fdb205f824dee7fd42dda739f207abc85ce158)
> but I'm not sure it's worth the effort of the backport. Because
> backporting this patch would also require backporting the real
> fix for https://security-tracker.debian.org/tracker/CVE-2015-8864
> which is also rather involved.
>
> Thus I'm tempted to just mark the CVE-2016-4068 as fixed with your DLA-537-1.
>
> What do you think?
>
> I just spent 5 hours just for the attached patch...
>
> Cheers,
> --
> Raphaël Hertzog ◈ Debian Developer
>
> Support Debian LTS: http://www.freexian.com/services/debian-lts.html
> Learn to master Debian: http://debian-handbook.info/get/



-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Re: Wheezy update of roundcube

[Lucas Kanashiro]

On 07/20/2016 02:23 PM, Markus Koschany wrote:
> Hi,
>
> Feel free to work on everything you like. Fixing CVE-2014-9587 together
> with CVE-2016-4069 isn't strictly required but you could probably reuse
> some of your work if you try to tackle these issue. In any case the
> whole CSRF complex requires much more work IMO and unless you are
> already familiar with Roundcube and PHP it might not be the right
> package to start with. It's up to you.
>

Sure, so I guess I'll claim another package.

Thanks again.

-- 
Lucas Kanashiro
8ED6 C3F8 BAC9 DB7F C130  A870 F823 A272 9883 C97C




signature.asc
Description: OpenPGP digital signature

Re: Wheezy update of roundcube

[Lucas Kanashiro]

Hi Markus,


On 07/20/2016 01:12 PM, Markus Koschany wrote:
> Hello Lucas,
>
> I have prepared the last update of roundcube and just had a look at your
> patch. Unfortunately a proper fix for CVE-2016-4069 in Wheezy isn't as
> simple as it looks like on first glance. The whole foundation to protect
> against CSRF is missing. For instance the secure_url or
> request_security_check functions are not implemented in your patch or in
> the original version in Wheezy and without them your patch won't work. I
> think a proper fix requires more backporting work. Fixing CVE-2014-9587
> should also be considered because it also deals with a CSRF
> vulnerability but wasn't deemed important enough back then.
>

Thanks for your feedback, I am not a PHP expert and this is my first
contribution in LTS team, so sorry for any problem. Do you think that
worth work on CVE-2014-9587? Or should I leave this package and try to
work on another one?

Thanks a lot!
Cheers.

-- 
Lucas Kanashiro
8ED6 C3F8 BAC9 DB7F C130  A870 F823 A272 9883 C97C




signature.asc
Description: OpenPGP digital signature

Wheezy update of roundcube

[Lucas Kanashiro]

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of roundcube:
https://security-tracker.debian.org/tracker/CVE-2016-4069

I missed the first contact where I should answer if you want to do it
or leave it to us, sorry. I already prepared a new version where I
adapted the upstream fix to the wheezy version. The diff is attached.

I tested the upgrade of the previous version to this one and it worked.
I did some tests, but if you could review it I'll appreciate.

After your feedback I can upload it or leave it up to you.

Thank you very much.

Lucas Kanashiro,
  on behalf of the Debian LTS team.

PS: if you want the new packages are available here:
https://people.debian.org/~kanashiro/wheezy_lts/

-- 
Lucas Kanashiro
8ED6 C3F8 BAC9 DB7F C130  A870 F823 A272 9883 C97C

diff -Nru roundcube-0.7.2/debian/changelog roundcube-0.7.2/debian/changelog
--- roundcube-0.7.2/debian/changelog2016-06-30 17:20:39.0 -0300
+++ roundcube-0.7.2/debian/changelog2016-07-05 11:45:38.0 -0300
@@ -1,3 +1,11 @@
+roundcube (0.7.2-9+deb7u4) wheezy-security; urgency=medium
+
+  * Non-maintainer upload by LTS team.
+  * Fix CVE-2016-4069, Protect download urls against CSRF using unique request
+tokens
+
+ -- Lucas Kanashiro   Tue, 05 Jul 2016 11:44:27 -0300
+
 roundcube (0.7.2-9+deb7u3) wheezy-security; urgency=high
 
   * Non-maintainer upload by the LTS team.
diff -Nru roundcube-0.7.2/debian/patches/CVE-2015-8864.patch 
roundcube-0.7.2/debian/patches/CVE-2015-8864.patch
--- roundcube-0.7.2/debian/patches/CVE-2015-8864.patch  2016-06-30 
17:20:39.0 -0300
+++ roundcube-0.7.2/debian/patches/CVE-2015-8864.patch  2016-07-05 
11:30:21.0 -0300
@@ -16,11 +16,9 @@
  program/steps/mail/get.inc | 9 +
  1 file changed, 9 insertions(+)
 
-diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
-index 0c11eb2..7fcc6a1 100644
 --- a/program/steps/mail/get.inc
 +++ b/program/steps/mail/get.inc
-@@ -134,6 +134,9 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) 
{
+@@ -134,6 +134,9 @@ else if ($pid = get_input_value('_part',
  
header("Content-Disposition: $disposition; filename=\"$filename\"");
  
@@ -30,7 +28,7 @@
// do content filtering to avoid XSS through fake images
if (!empty($_REQUEST['_embed']) && $browser->ie && $browser->ver <= 8) {
  if ($part->body)
-@@ -145,6 +148,12 @@ else if ($pid = get_input_value('_part', 
RCUBE_INPUT_GET)) {
+@@ -145,6 +148,12 @@ else if ($pid = get_input_value('_part',
$IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, 
false, $stdout);
  }
}
diff -Nru roundcube-0.7.2/debian/patches/CVE-2016-4069.patch 
roundcube-0.7.2/debian/patches/CVE-2016-4069.patch
--- roundcube-0.7.2/debian/patches/CVE-2016-4069.patch  1969-12-31 
21:00:00.0 -0300
+++ roundcube-0.7.2/debian/patches/CVE-2016-4069.patch  2016-07-20 
10:41:09.0 -0300
@@ -0,0 +1,153 @@
+Description: Fix CVE-2016-4069
+ Protect download urls against CSRF using unique request tokens. Send
+ X-Frame-Options headers with every HTTP response.
+Author: Lucas Kanashiro 
+Last-Updated: 2016-07-05
+
+--- a/plugins/managesieve/managesieve.php
 b/plugins/managesieve/managesieve.php
+@@ -426,6 +426,8 @@ class managesieve extends rcube_plugin
+ }
+ }
+ else if ($action == 'setget') {
++$this->rc->request_security_check(RCUBE_INPUT_GET);
++
+ $script_name = get_input_value('_set', RCUBE_INPUT_GPC, true);
+ $script = $this->sieve->get_script($script_name);
+ 
+--- a/plugins/managesieve/managesieve.js
 b/plugins/managesieve/managesieve.js
+@@ -183,7 +183,7 @@ rcube_webmail.prototype.managesieve_setg
+   var id = this.filtersets_list.get_single_selection(),
+ script = this.env.filtersets[id];
+ 
+-  location.href = 
this.env.comm_path+'&_action=plugin.managesieve&_act=setget&_set='+urlencode(script);
++  this.goto_url('plugin.managesieve-action', {_act: 'setget', _set: script}, 
false, true);
+ };
+ 
+ // Set activate/deactivate request
+--- a/program/include/rcube_template.php
 b/program/include/rcube_template.php
+@@ -369,10 +369,11 @@ class rcube_template extends rcube_html_
+ $js .= $this->get_js_commands() . ($this->framed ? ' }' : '');
+ $this->add_script($js, 'head_top');
+ 
+-// send clickjacking protection headers
++// allow (legal) iframe content to be loaded
+ $iframe = $this->framed || !empty($_REQUEST['_framed']);
+-if (!headers_sent() && ($xframe = 
$this->app->config->get('x_frame_options', 'sameorigin')))
+-header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 
'sameorigin' : $xframe));
++if (!headers_sent() && $iframe && 
$this->app->config->get('x_frame_options', 'sameorigin') === 'deny') {
++  

Re: Wheezy update of roundcube?

[Markus Koschany]

On 20.06.2016 10:56, Brian May wrote:
> Brian May  writes:
> 
>> Markus Koschany  writes:
>>
>>> I just had a closer look at the vulnerabilities. I have marked
>>> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
>>> the vulnerable code is not present in this version. There is no upstream
>>> fix available for CVE-2016-4086.
>>>
>>> That leaves us with CVE-2015-8864 and CVE-2016-4096 whereby the latter
>>> needs more investigation. Some affected plugins don't exist in Wheezy,
>>> the rest of the code is quite different.
>>>
>>> If you agree I intend to fix the two CVEs shortly. At the moment I think
>>> a backport is not necessary.
>>
>> Not sure if you were asking me or the mailing list, however no
>> objections from me. I say go ahead and do it.
> 
> Did you still want to do this?
> 

Yes, it is done but I haven't found the time to properly test it yet. I
expect an announcement this month.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Re: Wheezy update of roundcube?

[Brian May]

Brian May  writes:

> Markus Koschany  writes:
>
>> I just had a closer look at the vulnerabilities. I have marked
>> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
>> the vulnerable code is not present in this version. There is no upstream
>> fix available for CVE-2016-4086.
>>
>> That leaves us with CVE-2015-8864 and CVE-2016-4096 whereby the latter
>> needs more investigation. Some affected plugins don't exist in Wheezy,
>> the rest of the code is quite different.
>>
>> If you agree I intend to fix the two CVEs shortly. At the moment I think
>> a backport is not necessary.
>
> Not sure if you were asking me or the mailing list, however no
> objections from me. I say go ahead and do it.

Did you still want to do this?
-- 
Brian May 

Re: Wheezy update of roundcube?

[Brian May]

Markus Koschany  writes:

> I just had a closer look at the vulnerabilities. I have marked
> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
> the vulnerable code is not present in this version. There is no upstream
> fix available for CVE-2016-4086.
>
> That leaves us with CVE-2015-8864 and CVE-2016-4096 whereby the latter
> needs more investigation. Some affected plugins don't exist in Wheezy,
> the rest of the code is quite different.
>
> If you agree I intend to fix the two CVEs shortly. At the moment I think
> a backport is not necessary.

Not sure if you were asking me or the mailing list, however no
objections from me. I say go ahead and do it.
-- 
Brian May 

Re: Re: Wheezy update of roundcube?

[Brian May]

Adrian Zaugg  writes:

> I would vote for a backported 1.0.x version or rather remove 0.7 than 0.9.

I couldn't find 1.0.x in Debian, so tried version 1.1.5+dfsg.1-1~bpo8+1
from jessie-backports instead.

Unfortunately it needs a newer version of libjs-jquery then what is
available in Wheezy:


Install roundcube build dependencies (apt-based resolver)
-

Installing build dependencies
Reading package lists...
Building dependency tree...
Reading state information...
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 sbuild-build-depends-roundcube-dummy : Depends: libjs-jquery-ui (>= 1.10) but 
it is not going to be installed
E: Unable to correct problems, you have held broken packages.
apt-get failed.
E: Package installation failed
Not removing build depends: cloned chroot in use

-- 
Brian May 

Re: Wheezy update of roundcube?

[Sandro Knauß]

Hey,

On the one side I'm totally with Guilhem, that getting rid of the old 
roundcube in old-stable  would be the best thing. Upstream itself do not 
support this version for a longer time. I'm not sure if any CVEs are filed for 
such old versions anymore from upstream.

On the other side: The upgrade from 0.7->0.9->1.0 was never tested on a bit 
audience, because roundcube was not released with stable. So we have a very 
small testset, who tested this upgrade. So pushing this upgrade to lts is 
exactly the opposite of providing a stable upgrade.

Regards,

sandro

--
Am Dienstag, 3. Mai 2016, 18:52:32 CEST schrieb Markus Koschany:
> Am 03.05.2016 um 18:37 schrieb Moritz Muehlenhoff:
> > On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote:
> >> The second best solution would be to backport either the 1.0.x branch or
> >> your jessie-backport packages to Wheezy. Since you actively maintain
> >> them, what do you think, how complex is the task to backport the
> >> packages from jessie-backports to Wheezy?
> > 
> > What's the point in updating a server package like roundcube in LTS
> > to the version from LTS+1? I creates significant churn on the sysadmin's
> > side, which is better spent on upgrading the entire VM/machine to LTS+1.
> > 
> > Clearly not all packages are suitable for five years maintenance, so it's
> > better to not paper over the systems, but rather make this explicit.
> 
> You should also take into consideration that Roundcube is a web
> application and depending on the package in question and options
> available, a backport is a reasonable solution, for the same reasons we
> have backported other packages before. Also the whole point of LTS is
> that you don't have to upgrade the entire system, especially if you run
> multiple different PHP applications on the same server. The order of
> options is still valid.
> 
> Regards,
> 
> Markus



signature.asc
Description: This is a digitally signed message part.

Re: Re: Wheezy update of roundcube?

[Adrian Zaugg]

> On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote:
>> I agree, however I suspect most people using roundcube in production are
>> probably using the backport... There's even a dangling backport in
>> wheezy right now (0.9)... a little messy.

> Am 03.05.2016 um 17:49 schrieb Guilhem Moulin:
>> Agreed, I think 0.9 should be either removed from the archive or
>> superseeded by 1.0.x.

To keep Roundcube 0.7.x and remove 0.9.x is not a good option in my
opinion,  I agree with Antoine that probably a lot of people using the
backported 0.9.x version, since 0.7 is by far not as usable as 0.9.

I would vote for a backported 1.0.x version or rather remove 0.7 than 0.9.

Regards, Adrian.

Re: Wheezy update of roundcube?

[Gabriel Moreau]

For instance, I run the unstable wordpress on a wheezy machine. And
each wordpress upgrade is painless, but a full upgrade to jessie would
be much more time consuming.


I agree for wordpress.

But roundcube is a litle different. You don't have to run it on the 
email serveur. It's just a box with a config file but no data. When you 
upgrade roundcube version, you have to upgrade the config file most of 
the time.


gaby

PS : but a new roundcube will be pleasant for me too ;-)
--
Gabriel Moreau - IR CNRShttp://www.legi.grenoble-inp.fr
LEGI (UMR 5519) Laboratoire des Ecoulements Geophysiques et Industriels
BP53, 38041 Grenoble Cedex, France
mailto:gabriel.mor...@legi.grenoble-inp.fr  tel:+33.476.825.015

Re: Wheezy update of roundcube?

[Raphael Hertzog]

Hi,

On Tue, 03 May 2016, Moritz Muehlenhoff wrote:
> What's the point in updating a server package like roundcube in LTS
> to the version from LTS+1? I creates significant churn on the sysadmin's
> side, which is better spent on upgrading the entire VM/machine to LTS+1.

I don't think this is entirely true. It really depends on the work that
such an update generates but depending on the webapp, this might amount
to nothing.

For instance, I run the unstable wordpress on a wheezy machine. And
each wordpress upgrade is painless, but a full upgrade to jessie would
be much more time consuming.

And in general, we (Debian in general) are more open to the idea of having
such high level applications with no reverse dependencies to be upgraded
to new upstream versions when that is the only possibility.

Not supporting the package is the worst outcome in my opinion.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Re: Wheezy update of roundcube?

[Markus Koschany]

Am 03.05.2016 um 18:37 schrieb Moritz Muehlenhoff:
> On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote:
>> The second best solution would be to backport either the 1.0.x branch or
>> your jessie-backport packages to Wheezy. Since you actively maintain
>> them, what do you think, how complex is the task to backport the
>> packages from jessie-backports to Wheezy?
> 
> What's the point in updating a server package like roundcube in LTS
> to the version from LTS+1? I creates significant churn on the sysadmin's
> side, which is better spent on upgrading the entire VM/machine to LTS+1.
> 
> Clearly not all packages are suitable for five years maintenance, so it's
> better to not paper over the systems, but rather make this explicit.

You should also take into consideration that Roundcube is a web
application and depending on the package in question and options
available, a backport is a reasonable solution, for the same reasons we
have backported other packages before. Also the whole point of LTS is
that you don't have to upgrade the entire system, especially if you run
multiple different PHP applications on the same server. The order of
options is still valid.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature

Re: Wheezy update of roundcube?

[Moritz Muehlenhoff]

On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote:
> The second best solution would be to backport either the 1.0.x branch or
> your jessie-backport packages to Wheezy. Since you actively maintain
> them, what do you think, how complex is the task to backport the
> packages from jessie-backports to Wheezy?

What's the point in updating a server package like roundcube in LTS
to the version from LTS+1? I creates significant churn on the sysadmin's
side, which is better spent on upgrading the entire VM/machine to LTS+1.

Clearly not all packages are suitable for five years maintenance, so it's
better to not paper over the systems, but rather make this explicit.

Cheers,
Moritz

Re: Wheezy update of roundcube?

[Markus Koschany]

Am 03.05.2016 um 17:49 schrieb Guilhem Moulin:
> On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote:
>> I agree, however I suspect most people using roundcube in production are
>> probably using the backport... There's even a dangling backport in
>> wheezy right now (0.9)... a little messy.
> 
> Sorry, I meant oldstable-backports not oldstable.  Packaging 1.0.x for
> wheezy-backports sounds much easier than backporting security patches to
> wheezy's 0.7.x.

Hi,

the backports team regularly rejects packages that try to fix bugs or
even security vulnerabilities by providing the fixes with
{wheezy|jessie}-backports instead of fixing them via stable or security
updates directly.

I'm not sure yet how difficult it would be to backport the fixes to the
0.7.x branch and if all CVEs apply to Wheezy but that would be the
preferred solution which might also be less disruptive.

The second best solution would be to backport either the 1.0.x branch or
your jessie-backport packages to Wheezy. Since you actively maintain
them, what do you think, how complex is the task to backport the
packages from jessie-backports to Wheezy?

>> I filed a bug about the dangling backport in wheezy:
>>
>>  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813843
>>
>> I wonder how best to deal with this: should the backport just be removed
>> or what?
> 
> Agreed, I think 0.9 should be either removed from the archive or
> superseeded by 1.0.x.

+1

I'm all for removing it as soon as possible from backports. We don't
need to wait for updated packages.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Re: Wheezy update of roundcube?

[Guilhem Moulin]

On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote:
> I agree, however I suspect most people using roundcube in production are
> probably using the backport... There's even a dangling backport in
> wheezy right now (0.9)... a little messy.

Sorry, I meant oldstable-backports not oldstable.  Packaging 1.0.x for
wheezy-backports sounds much easier than backporting security patches to
wheezy's 0.7.x.
 
> I filed a bug about the dangling backport in wheezy:
> 
>  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813843
> 
> I wonder how best to deal with this: should the backport just be removed
> or what?

Agreed, I think 0.9 should be either removed from the archive or
superseeded by 1.0.x.

Cheers,
-- 
Guilhem.


signature.asc
Description: PGP signature

Re: Wheezy update of roundcube?

[Antoine Beaupré]

On 2016-05-02 15:31:39, Guilhem Moulin wrote:
> Hi there,
>
> On Mon, 02 May 2016 at 21:19:13 +0200, Markus Koschany wrote:
>> Would you like to take care of this yourself?
>
> Not replying in the name of team (however I'm the one who pushed for
> Roundcube in jessie-backports and who is trying to taking care of it
> there), unfortunately I don't have the time nor energy to take care of
> an oldstable version.
>
> That being said, I think packaging the Roundcube 1.0.x (stable) branch
> would be the easiest for Wheezy.
>
> https://github.com/roundcube/roundcubemail/releases/

I agree, however I suspect most people using roundcube in production are
probably using the backport... There's even a dangling backport in
wheezy right now (0.9)... a little messy.

I filed a bug about the dangling backport in wheezy:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813843

I wonder how best to deal with this: should the backport just be removed
or what?

A.

-- 
You Are What You Is
- Frank Zappa

Re: Wheezy update of roundcube?

[Guilhem Moulin]

Hi there,

On Mon, 02 May 2016 at 21:19:13 +0200, Markus Koschany wrote:
> Would you like to take care of this yourself?

Not replying in the name of team (however I'm the one who pushed for
Roundcube in jessie-backports and who is trying to taking care of it
there), unfortunately I don't have the time nor energy to take care of
an oldstable version.

That being said, I think packaging the Roundcube 1.0.x (stable) branch
would be the easiest for Wheezy.

https://github.com/roundcube/roundcubemail/releases/

Cheers,
-- 
Guilhem.


signature.asc
Description: PGP signature

Wheezy update of roundcube?

[Markus Koschany]

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of roundcube:
https://security-tracker.debian.org/tracker/CVE-2016-4068

We know that roundcube is at least affected by CVE-2016-4068 in Wheezy but we
are interested in your opinion too.

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Markus Koschany,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup