Re: Wheezy update of roundcube?

Hi Ola, Sorry for the delay, not sure if you got an answer yet; either way I'm not answering on behalf of the team here. On Sat, 11 Nov 2017 at 20:14:38 +0100, Ola Lundqvist wrote: > Would you like to take care of this yourself? > > The proposed patch for later release will not apply cleanly to

Wheezy update of roundcube?

Dear maintainers, The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of roundcube: https://security-tracker.debian.org/tracker/CVE-2017-16651 Would you like to take care of this yourself? The proposed patch for later release will not apply

Wheezy update of roundcube?

Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of roundcube: https://security-tracker.debian.org/tracker/source-package/roundcube Would you like to take care of this yourself? If yes, please follow the workflow

Re: Wheezy update of roundcube

Hi If you are sure CVE-2016-4068 is mitigated then we should be able to mark it as fixed. But you need to be sure. :-) // Ola On Tue, Sep 6, 2016 at 6:13 PM, Raphael Hertzog wrote: > Hi Markus, > > On Wed, 20 Jul 2016, Markus Koschany wrote: >> Feel free to work on

Re: Wheezy update of roundcube

On 07/20/2016 02:23 PM, Markus Koschany wrote: > Hi, > > Feel free to work on everything you like. Fixing CVE-2014-9587 together > with CVE-2016-4069 isn't strictly required but you could probably reuse > some of your work if you try to tackle these issue. In any case the > whole CSRF complex

Re: Wheezy update of roundcube

Hi Markus, On 07/20/2016 01:12 PM, Markus Koschany wrote: > Hello Lucas, > > I have prepared the last update of roundcube and just had a look at your > patch. Unfortunately a proper fix for CVE-2016-4069 in Wheezy isn't as > simple as it looks like on first glance. The whole foundation to

Wheezy update of roundcube

Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of roundcube: https://security-tracker.debian.org/tracker/CVE-2016-4069 I missed the first contact where I should answer if you want to do it or leave it to us,

Re: Wheezy update of roundcube?

On 20.06.2016 10:56, Brian May wrote: > Brian May writes: > >> Markus Koschany writes: >> >>> I just had a closer look at the vulnerabilities. I have marked >>> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because >>> the vulnerable code is

Re: Wheezy update of roundcube?

Brian May writes: > Markus Koschany writes: > >> I just had a closer look at the vulnerabilities. I have marked >> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because >> the vulnerable code is not present in this version. There is no upstream

Re: Wheezy update of roundcube?

Markus Koschany writes: > I just had a closer look at the vulnerabilities. I have marked > CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because > the vulnerable code is not present in this version. There is no upstream > fix available for CVE-2016-4086. > >

Re: Re: Wheezy update of roundcube?

Adrian Zaugg writes: > I would vote for a backported 1.0.x version or rather remove 0.7 than 0.9. I couldn't find 1.0.x in Debian, so tried version 1.1.5+dfsg.1-1~bpo8+1 from jessie-backports instead. Unfortunately it needs a newer version of libjs-jquery then what is

Re: Wheezy update of roundcube?

Hey, On the one side I'm totally with Guilhem, that getting rid of the old roundcube in old-stable would be the best thing. Upstream itself do not support this version for a longer time. I'm not sure if any CVEs are filed for such old versions anymore from upstream. On the other side: The

Re: Re: Wheezy update of roundcube?

> On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote: >> I agree, however I suspect most people using roundcube in production are >> probably using the backport... There's even a dangling backport in >> wheezy right now (0.9)... a little messy. > Am 03.05.2016 um 17:49 schrieb Guilhem

Re: Wheezy update of roundcube?

For instance, I run the unstable wordpress on a wheezy machine. And each wordpress upgrade is painless, but a full upgrade to jessie would be much more time consuming. I agree for wordpress. But roundcube is a litle different. You don't have to run it on the email serveur. It's just a box

Re: Wheezy update of roundcube?

Hi, On Tue, 03 May 2016, Moritz Muehlenhoff wrote: > What's the point in updating a server package like roundcube in LTS > to the version from LTS+1? I creates significant churn on the sysadmin's > side, which is better spent on upgrading the entire VM/machine to LTS+1. I don't think this is

Re: Wheezy update of roundcube?

Am 03.05.2016 um 18:37 schrieb Moritz Muehlenhoff: > On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote: >> The second best solution would be to backport either the 1.0.x branch or >> your jessie-backport packages to Wheezy. Since you actively maintain >> them, what do you think, how

Re: Wheezy update of roundcube?

On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote: > The second best solution would be to backport either the 1.0.x branch or > your jessie-backport packages to Wheezy. Since you actively maintain > them, what do you think, how complex is the task to backport the > packages from

Re: Wheezy update of roundcube?

Am 03.05.2016 um 17:49 schrieb Guilhem Moulin: > On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote: >> I agree, however I suspect most people using roundcube in production are >> probably using the backport... There's even a dangling backport in >> wheezy right now (0.9)... a little

Re: Wheezy update of roundcube?

On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote: > I agree, however I suspect most people using roundcube in production are > probably using the backport... There's even a dangling backport in > wheezy right now (0.9)... a little messy. Sorry, I meant oldstable-backports not

Re: Wheezy update of roundcube?

On 2016-05-02 15:31:39, Guilhem Moulin wrote: > Hi there, > > On Mon, 02 May 2016 at 21:19:13 +0200, Markus Koschany wrote: >> Would you like to take care of this yourself? > > Not replying in the name of team (however I'm the one who pushed for > Roundcube in jessie-backports and who is trying to

Re: Wheezy update of roundcube?

Hi there, On Mon, 02 May 2016 at 21:19:13 +0200, Markus Koschany wrote: > Would you like to take care of this yourself? Not replying in the name of team (however I'm the one who pushed for Roundcube in jessie-backports and who is trying to taking care of it there), unfortunately I don't have the

Wheezy update of roundcube?

Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of roundcube: https://security-tracker.debian.org/tracker/CVE-2016-4068 We know that roundcube is at least affected by CVE-2016-4068 in Wheezy but we are interested