Bug#847287: [Pkg-roundcube-maintainers] Bug#847287:

2016-12-08 Thread Guilhem Moulin
On Thu, 08 Dec 2016 at 19:46:32 +0100, Reiner Buehl wrote: > Sorry if I ask a stupid question, but do I understand correct, that if I > have 1.1.5+dfsg.1-1~bpo8+2 installed, then the fix is applied? That's correct, cf.

Bug#847287:

2016-12-08 Thread Reiner Buehl
Sorry if I ask a stupid question, but do I understand correct, that if I have 1.1.5+dfsg.1-1~bpo8+2 installed, then the fix is applied? Best regards, Reiner

Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

2016-12-08 Thread Chris Lamb
Hi, > What about wheezy / wheezy-backports? Are these packages affected too? Yes. Am updating wheezy now with my "LTS" hat on and issuing the corresponding DLA. :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-

Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

2016-12-08 Thread Darshaka Pathirana
On Wed, 07 Dec 2016 12:16:14 +0100 Vincent Bernat wrote: > ❦ 7 décembre 2016 12:08 +0100, Guilhem Moulin  : > > >> Is the tag for debian/1.1.5+dfsg.1-1_bpo8+1? The diff for it is pretty > >> big. > > > > 1.1.5+dfsg.1-1_bpo8+1 is the current version

Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

2016-12-07 Thread Vincent Bernat
❦ 7 décembre 2016 12:08 +0100, Guilhem Moulin  : >> Is the tag for debian/1.1.5+dfsg.1-1_bpo8+1? The diff for it is pretty >> big. > > 1.1.5+dfsg.1-1_bpo8+1 is the current version from jessie-backports (since > April 29). The diff between 1.1.5+dfsg.1-1_bpo8+1 and

Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

2016-12-07 Thread Guilhem Moulin
On Wed, 07 Dec 2016 at 11:55:50 +0100, Vincent Bernat wrote: > ❦ 7 décembre 2016 11:27 +0100, Guilhem Moulin  : > Unfortunately 1.2.x has many dependencies that aren't in jessie-backports yet. I personally don't have the time nor energy to maintain said

Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

2016-12-07 Thread Vincent Bernat
❦ 7 décembre 2016 11:27 +0100, Guilhem Moulin  : >>> Unfortunately 1.2.x has many dependencies that aren't in >>> jessie-backports yet. I personally don't have the time nor energy to >>> maintain said dependencies, so we asked backports folks for an exception >>> to stick

Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

2016-12-07 Thread Guilhem Moulin
On Wed, 07 Dec 2016 at 07:46:06 +0100, Vincent Bernat wrote: > ❦ 7 décembre 2016 00:30 +0100, Guilhem Moulin  : > >>> Version: 1.1.4+dfsg.1-1~bpo8+1 >>> […] >>> So probably it is important to update to upstream version 1.2.3 >> >> Unfortunately 1.2.x has many dependencies

Bug#847287: Security Update for roundcube -- planning

2016-12-07 Thread Sandro Knauß
Hey, we are discussing how we should handle the security issue for roundcube. It has currently now CVE it is tracked as: TEMP-0847287-64604E on security.debian.org or #847287 on BTS Because we should not upload a new 1.1.X version to bpo, we thought to only push an update that fixes only this

Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

2016-12-06 Thread Vincent Bernat
❦ 7 décembre 2016 00:30 +0100, Guilhem Moulin  : >> Version: 1.1.4+dfsg.1-1~bpo8+1 >> […] >> So probably it is important to update to upstream version 1.2.3 > > Unfortunately 1.2.x has many dependencies that aren't in > jessie-backports yet. I personally don't have the

Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

2016-12-06 Thread Salvatore Bonaccorso
Hi, On Wed, Dec 07, 2016 at 12:30:42AM +0100, Guilhem Moulin wrote: > Hi, > > On Tue, 06 Dec 2016 at 23:05:59 +, Juan Rossi wrote: > > Version: 1.1.4+dfsg.1-1~bpo8+1 > > […] > > So probably it is important to update to upstream version 1.2.3 > > Unfortunately 1.2.x has many dependencies

Bug#847287:

2016-12-06 Thread Juan Augusto Rossi
Hi I guess if package 1.2.3 cannot be back ported to jessie due dependencies issues, and there is no exception that would leave jessie users to backport manually to 1.1.7 that includes the fix https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-released Issue it is quite severe, I

Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

2016-12-06 Thread Guilhem Moulin
Hi, On Tue, 06 Dec 2016 at 23:05:59 +, Juan Rossi wrote: > Version: 1.1.4+dfsg.1-1~bpo8+1 > […] > So probably it is important to update to upstream version 1.2.3 Unfortunately 1.2.x has many dependencies that aren't in jessie-backports yet. I personally don't have the time nor energy to

Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

2016-12-06 Thread Juan Rossi
Package: roundcube Version: 1.1.4+dfsg.1-1~bpo8+1 Severity: grave Tags: upstream security Justification: user security hole Dear Maintainer, I am reporting this as it is quite important as testing and unstable versions of roundcube are affected (and even all the backports offered, which