Hi Ola,
Sorry for the delay, not sure if you got an answer yet; either way I'm
not answering on behalf of the team here.
On Sat, 11 Nov 2017 at 20:14:38 +0100, Ola Lundqvist wrote:
> Would you like to take care of this yourself?
>
> The proposed patch for later release will not apply cleanly to
Dear maintainers,
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of roundcube:
https://security-tracker.debian.org/tracker/CVE-2017-16651
Would you like to take care of this yourself?
The proposed patch for later release will not apply
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of roundcube:
https://security-tracker.debian.org/tracker/source-package/roundcube
Would you like to take care of this yourself?
If yes, please follow the workflow
Hi
If you are sure CVE-2016-4068 is mitigated then we should be able to
mark it as fixed.
But you need to be sure. :-)
// Ola
On Tue, Sep 6, 2016 at 6:13 PM, Raphael Hertzog wrote:
> Hi Markus,
>
> On Wed, 20 Jul 2016, Markus Koschany wrote:
>> Feel free to work on
On 07/20/2016 02:23 PM, Markus Koschany wrote:
> Hi,
>
> Feel free to work on everything you like. Fixing CVE-2014-9587 together
> with CVE-2016-4069 isn't strictly required but you could probably reuse
> some of your work if you try to tackle these issue. In any case the
> whole CSRF complex
Hi Markus,
On 07/20/2016 01:12 PM, Markus Koschany wrote:
> Hello Lucas,
>
> I have prepared the last update of roundcube and just had a look at your
> patch. Unfortunately a proper fix for CVE-2016-4069 in Wheezy isn't as
> simple as it looks like on first glance. The whole foundation to
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of roundcube:
https://security-tracker.debian.org/tracker/CVE-2016-4069
I missed the first contact where I should answer if you want to do it
or leave it to us,
On 20.06.2016 10:56, Brian May wrote:
> Brian May writes:
>
>> Markus Koschany writes:
>>
>>> I just had a closer look at the vulnerabilities. I have marked
>>> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
>>> the vulnerable code is
Brian May writes:
> Markus Koschany writes:
>
>> I just had a closer look at the vulnerabilities. I have marked
>> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
>> the vulnerable code is not present in this version. There is no upstream
Markus Koschany writes:
> I just had a closer look at the vulnerabilities. I have marked
> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
> the vulnerable code is not present in this version. There is no upstream
> fix available for CVE-2016-4086.
>
>
Adrian Zaugg writes:
> I would vote for a backported 1.0.x version or rather remove 0.7 than 0.9.
I couldn't find 1.0.x in Debian, so tried version 1.1.5+dfsg.1-1~bpo8+1
from jessie-backports instead.
Unfortunately it needs a newer version of libjs-jquery then what is
Hey,
On the one side I'm totally with Guilhem, that getting rid of the old
roundcube in old-stable would be the best thing. Upstream itself do not
support this version for a longer time. I'm not sure if any CVEs are filed for
such old versions anymore from upstream.
On the other side: The
> On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote:
>> I agree, however I suspect most people using roundcube in production are
>> probably using the backport... There's even a dangling backport in
>> wheezy right now (0.9)... a little messy.
> Am 03.05.2016 um 17:49 schrieb Guilhem
For instance, I run the unstable wordpress on a wheezy machine. And
each wordpress upgrade is painless, but a full upgrade to jessie would
be much more time consuming.
I agree for wordpress.
But roundcube is a litle different. You don't have to run it on the
email serveur. It's just a box
Hi,
On Tue, 03 May 2016, Moritz Muehlenhoff wrote:
> What's the point in updating a server package like roundcube in LTS
> to the version from LTS+1? I creates significant churn on the sysadmin's
> side, which is better spent on upgrading the entire VM/machine to LTS+1.
I don't think this is
Am 03.05.2016 um 18:37 schrieb Moritz Muehlenhoff:
> On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote:
>> The second best solution would be to backport either the 1.0.x branch or
>> your jessie-backport packages to Wheezy. Since you actively maintain
>> them, what do you think, how
On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote:
> The second best solution would be to backport either the 1.0.x branch or
> your jessie-backport packages to Wheezy. Since you actively maintain
> them, what do you think, how complex is the task to backport the
> packages from
Am 03.05.2016 um 17:49 schrieb Guilhem Moulin:
> On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote:
>> I agree, however I suspect most people using roundcube in production are
>> probably using the backport... There's even a dangling backport in
>> wheezy right now (0.9)... a little
On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote:
> I agree, however I suspect most people using roundcube in production are
> probably using the backport... There's even a dangling backport in
> wheezy right now (0.9)... a little messy.
Sorry, I meant oldstable-backports not
On 2016-05-02 15:31:39, Guilhem Moulin wrote:
> Hi there,
>
> On Mon, 02 May 2016 at 21:19:13 +0200, Markus Koschany wrote:
>> Would you like to take care of this yourself?
>
> Not replying in the name of team (however I'm the one who pushed for
> Roundcube in jessie-backports and who is trying to
Hi there,
On Mon, 02 May 2016 at 21:19:13 +0200, Markus Koschany wrote:
> Would you like to take care of this yourself?
Not replying in the name of team (however I'm the one who pushed for
Roundcube in jessie-backports and who is trying to taking care of it
there), unfortunately I don't have the
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of roundcube:
https://security-tracker.debian.org/tracker/CVE-2016-4068
We know that roundcube is at least affected by CVE-2016-4068 in Wheezy but we
are interested
22 matches
Mail list logo