Re: Wheezy update of roundcube?

[Guilhem Moulin]

Hi Ola,

Sorry for the delay, not sure if you got an answer yet; either way I'm
not answering on behalf of the team here.

On Sat, 11 Nov 2017 at 20:14:38 +0100, Ola Lundqvist wrote:
> Would you like to take care of this yourself?
> 
> The proposed patch for later release will not apply cleanly to the version
> in wheezy so the porting work is larger than usual.
> […]
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.

Unfortunately I no longer have any machine running Wheezy so I don't
have an easy way to adapt the patch or test the package anymore :-/

Cheers,
-- 
Guilhem.


signature.asc
Description: PGP signature

Re: Wheezy update of roundcube

[Ola Lundqvist]

Hi

If you are sure CVE-2016-4068 is mitigated then we should be able to
mark it as fixed.
But you need to be sure. :-)

// Ola

On Tue, Sep 6, 2016 at 6:13 PM, Raphael Hertzog  wrote:
> Hi Markus,
>
> On Wed, 20 Jul 2016, Markus Koschany wrote:
>> Feel free to work on everything you like. Fixing CVE-2014-9587 together
>> with CVE-2016-4069 isn't strictly required but you could probably reuse
>> some of your work if you try to tackle these issue. In any case the
>> whole CSRF complex requires much more work IMO and unless you are
>> already familiar with Roundcube and PHP it might not be the right
>> package to start with. It's up to you.
>
> It was indeed a non-trivial amount of work... but the attached patch
> fixes CVE-2016-4069 according to my tests (i.e. downloads requests
> without _token do fail).
>
> On thursday I will see if I can deal with CVE-2014-9587 as well.
>
> Then there's https://security-tracker.debian.org/tracker/CVE-2016-4068
> you left it open but it's mitigated since one cannot view SVG files.
> There is a patch available now
> (https://github.com/roundcube/roundcubemail/commit/a1fdb205f824dee7fd42dda739f207abc85ce158)
> but I'm not sure it's worth the effort of the backport. Because
> backporting this patch would also require backporting the real
> fix for https://security-tracker.debian.org/tracker/CVE-2015-8864
> which is also rather involved.
>
> Thus I'm tempted to just mark the CVE-2016-4068 as fixed with your DLA-537-1.
>
> What do you think?
>
> I just spent 5 hours just for the attached patch...
>
> Cheers,
> --
> Raphaël Hertzog ◈ Debian Developer
>
> Support Debian LTS: http://www.freexian.com/services/debian-lts.html
> Learn to master Debian: http://debian-handbook.info/get/



-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Re: Wheezy update of roundcube

[Lucas Kanashiro]

On 07/20/2016 02:23 PM, Markus Koschany wrote:
> Hi,
>
> Feel free to work on everything you like. Fixing CVE-2014-9587 together
> with CVE-2016-4069 isn't strictly required but you could probably reuse
> some of your work if you try to tackle these issue. In any case the
> whole CSRF complex requires much more work IMO and unless you are
> already familiar with Roundcube and PHP it might not be the right
> package to start with. It's up to you.
>

Sure, so I guess I'll claim another package.

Thanks again.

-- 
Lucas Kanashiro
8ED6 C3F8 BAC9 DB7F C130  A870 F823 A272 9883 C97C




signature.asc
Description: OpenPGP digital signature

Re: Wheezy update of roundcube

[Lucas Kanashiro]

Hi Markus,


On 07/20/2016 01:12 PM, Markus Koschany wrote:
> Hello Lucas,
>
> I have prepared the last update of roundcube and just had a look at your
> patch. Unfortunately a proper fix for CVE-2016-4069 in Wheezy isn't as
> simple as it looks like on first glance. The whole foundation to protect
> against CSRF is missing. For instance the secure_url or
> request_security_check functions are not implemented in your patch or in
> the original version in Wheezy and without them your patch won't work. I
> think a proper fix requires more backporting work. Fixing CVE-2014-9587
> should also be considered because it also deals with a CSRF
> vulnerability but wasn't deemed important enough back then.
>

Thanks for your feedback, I am not a PHP expert and this is my first
contribution in LTS team, so sorry for any problem. Do you think that
worth work on CVE-2014-9587? Or should I leave this package and try to
work on another one?

Thanks a lot!
Cheers.

-- 
Lucas Kanashiro
8ED6 C3F8 BAC9 DB7F C130  A870 F823 A272 9883 C97C




signature.asc
Description: OpenPGP digital signature

Re: Wheezy update of roundcube?

[Markus Koschany]

On 20.06.2016 10:56, Brian May wrote:
> Brian May  writes:
> 
>> Markus Koschany  writes:
>>
>>> I just had a closer look at the vulnerabilities. I have marked
>>> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
>>> the vulnerable code is not present in this version. There is no upstream
>>> fix available for CVE-2016-4086.
>>>
>>> That leaves us with CVE-2015-8864 and CVE-2016-4096 whereby the latter
>>> needs more investigation. Some affected plugins don't exist in Wheezy,
>>> the rest of the code is quite different.
>>>
>>> If you agree I intend to fix the two CVEs shortly. At the moment I think
>>> a backport is not necessary.
>>
>> Not sure if you were asking me or the mailing list, however no
>> objections from me. I say go ahead and do it.
> 
> Did you still want to do this?
> 

Yes, it is done but I haven't found the time to properly test it yet. I
expect an announcement this month.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Re: Wheezy update of roundcube?

[Brian May]

Brian May  writes:

> Markus Koschany  writes:
>
>> I just had a closer look at the vulnerabilities. I have marked
>> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
>> the vulnerable code is not present in this version. There is no upstream
>> fix available for CVE-2016-4086.
>>
>> That leaves us with CVE-2015-8864 and CVE-2016-4096 whereby the latter
>> needs more investigation. Some affected plugins don't exist in Wheezy,
>> the rest of the code is quite different.
>>
>> If you agree I intend to fix the two CVEs shortly. At the moment I think
>> a backport is not necessary.
>
> Not sure if you were asking me or the mailing list, however no
> objections from me. I say go ahead and do it.

Did you still want to do this?
-- 
Brian May 

Re: Wheezy update of roundcube?

[Brian May]

Markus Koschany  writes:

> I just had a closer look at the vulnerabilities. I have marked
> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
> the vulnerable code is not present in this version. There is no upstream
> fix available for CVE-2016-4086.
>
> That leaves us with CVE-2015-8864 and CVE-2016-4096 whereby the latter
> needs more investigation. Some affected plugins don't exist in Wheezy,
> the rest of the code is quite different.
>
> If you agree I intend to fix the two CVEs shortly. At the moment I think
> a backport is not necessary.

Not sure if you were asking me or the mailing list, however no
objections from me. I say go ahead and do it.
-- 
Brian May 

Re: Re: Wheezy update of roundcube?

[Brian May]

Adrian Zaugg  writes:

> I would vote for a backported 1.0.x version or rather remove 0.7 than 0.9.

I couldn't find 1.0.x in Debian, so tried version 1.1.5+dfsg.1-1~bpo8+1
from jessie-backports instead.

Unfortunately it needs a newer version of libjs-jquery then what is
available in Wheezy:


Install roundcube build dependencies (apt-based resolver)
-

Installing build dependencies
Reading package lists...
Building dependency tree...
Reading state information...
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 sbuild-build-depends-roundcube-dummy : Depends: libjs-jquery-ui (>= 1.10) but 
it is not going to be installed
E: Unable to correct problems, you have held broken packages.
apt-get failed.
E: Package installation failed
Not removing build depends: cloned chroot in use

-- 
Brian May 

Re: Wheezy update of roundcube?

[Sandro Knauß]

Hey,

On the one side I'm totally with Guilhem, that getting rid of the old 
roundcube in old-stable  would be the best thing. Upstream itself do not 
support this version for a longer time. I'm not sure if any CVEs are filed for 
such old versions anymore from upstream.

On the other side: The upgrade from 0.7->0.9->1.0 was never tested on a bit 
audience, because roundcube was not released with stable. So we have a very 
small testset, who tested this upgrade. So pushing this upgrade to lts is 
exactly the opposite of providing a stable upgrade.

Regards,

sandro

--
Am Dienstag, 3. Mai 2016, 18:52:32 CEST schrieb Markus Koschany:
> Am 03.05.2016 um 18:37 schrieb Moritz Muehlenhoff:
> > On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote:
> >> The second best solution would be to backport either the 1.0.x branch or
> >> your jessie-backport packages to Wheezy. Since you actively maintain
> >> them, what do you think, how complex is the task to backport the
> >> packages from jessie-backports to Wheezy?
> > 
> > What's the point in updating a server package like roundcube in LTS
> > to the version from LTS+1? I creates significant churn on the sysadmin's
> > side, which is better spent on upgrading the entire VM/machine to LTS+1.
> > 
> > Clearly not all packages are suitable for five years maintenance, so it's
> > better to not paper over the systems, but rather make this explicit.
> 
> You should also take into consideration that Roundcube is a web
> application and depending on the package in question and options
> available, a backport is a reasonable solution, for the same reasons we
> have backported other packages before. Also the whole point of LTS is
> that you don't have to upgrade the entire system, especially if you run
> multiple different PHP applications on the same server. The order of
> options is still valid.
> 
> Regards,
> 
> Markus



signature.asc
Description: This is a digitally signed message part.

Re: Re: Wheezy update of roundcube?

[Adrian Zaugg]

> On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote:
>> I agree, however I suspect most people using roundcube in production are
>> probably using the backport... There's even a dangling backport in
>> wheezy right now (0.9)... a little messy.

> Am 03.05.2016 um 17:49 schrieb Guilhem Moulin:
>> Agreed, I think 0.9 should be either removed from the archive or
>> superseeded by 1.0.x.

To keep Roundcube 0.7.x and remove 0.9.x is not a good option in my
opinion,  I agree with Antoine that probably a lot of people using the
backported 0.9.x version, since 0.7 is by far not as usable as 0.9.

I would vote for a backported 1.0.x version or rather remove 0.7 than 0.9.

Regards, Adrian.

Re: Wheezy update of roundcube?

[Gabriel Moreau]

For instance, I run the unstable wordpress on a wheezy machine. And
each wordpress upgrade is painless, but a full upgrade to jessie would
be much more time consuming.


I agree for wordpress.

But roundcube is a litle different. You don't have to run it on the 
email serveur. It's just a box with a config file but no data. When you 
upgrade roundcube version, you have to upgrade the config file most of 
the time.


gaby

PS : but a new roundcube will be pleasant for me too ;-)
--
Gabriel Moreau - IR CNRShttp://www.legi.grenoble-inp.fr
LEGI (UMR 5519) Laboratoire des Ecoulements Geophysiques et Industriels
BP53, 38041 Grenoble Cedex, France
mailto:gabriel.mor...@legi.grenoble-inp.fr  tel:+33.476.825.015

Re: Wheezy update of roundcube?

[Raphael Hertzog]

Hi,

On Tue, 03 May 2016, Moritz Muehlenhoff wrote:
> What's the point in updating a server package like roundcube in LTS
> to the version from LTS+1? I creates significant churn on the sysadmin's
> side, which is better spent on upgrading the entire VM/machine to LTS+1.

I don't think this is entirely true. It really depends on the work that
such an update generates but depending on the webapp, this might amount
to nothing.

For instance, I run the unstable wordpress on a wheezy machine. And
each wordpress upgrade is painless, but a full upgrade to jessie would
be much more time consuming.

And in general, we (Debian in general) are more open to the idea of having
such high level applications with no reverse dependencies to be upgraded
to new upstream versions when that is the only possibility.

Not supporting the package is the worst outcome in my opinion.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Re: Wheezy update of roundcube?

[Markus Koschany]

Am 03.05.2016 um 18:37 schrieb Moritz Muehlenhoff:
> On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote:
>> The second best solution would be to backport either the 1.0.x branch or
>> your jessie-backport packages to Wheezy. Since you actively maintain
>> them, what do you think, how complex is the task to backport the
>> packages from jessie-backports to Wheezy?
> 
> What's the point in updating a server package like roundcube in LTS
> to the version from LTS+1? I creates significant churn on the sysadmin's
> side, which is better spent on upgrading the entire VM/machine to LTS+1.
> 
> Clearly not all packages are suitable for five years maintenance, so it's
> better to not paper over the systems, but rather make this explicit.

You should also take into consideration that Roundcube is a web
application and depending on the package in question and options
available, a backport is a reasonable solution, for the same reasons we
have backported other packages before. Also the whole point of LTS is
that you don't have to upgrade the entire system, especially if you run
multiple different PHP applications on the same server. The order of
options is still valid.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature

Re: Wheezy update of roundcube?

[Moritz Muehlenhoff]

On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote:
> The second best solution would be to backport either the 1.0.x branch or
> your jessie-backport packages to Wheezy. Since you actively maintain
> them, what do you think, how complex is the task to backport the
> packages from jessie-backports to Wheezy?

What's the point in updating a server package like roundcube in LTS
to the version from LTS+1? I creates significant churn on the sysadmin's
side, which is better spent on upgrading the entire VM/machine to LTS+1.

Clearly not all packages are suitable for five years maintenance, so it's
better to not paper over the systems, but rather make this explicit.

Cheers,
Moritz

Re: Wheezy update of roundcube?

[Markus Koschany]

Am 03.05.2016 um 17:49 schrieb Guilhem Moulin:
> On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote:
>> I agree, however I suspect most people using roundcube in production are
>> probably using the backport... There's even a dangling backport in
>> wheezy right now (0.9)... a little messy.
> 
> Sorry, I meant oldstable-backports not oldstable.  Packaging 1.0.x for
> wheezy-backports sounds much easier than backporting security patches to
> wheezy's 0.7.x.

Hi,

the backports team regularly rejects packages that try to fix bugs or
even security vulnerabilities by providing the fixes with
{wheezy|jessie}-backports instead of fixing them via stable or security
updates directly.

I'm not sure yet how difficult it would be to backport the fixes to the
0.7.x branch and if all CVEs apply to Wheezy but that would be the
preferred solution which might also be less disruptive.

The second best solution would be to backport either the 1.0.x branch or
your jessie-backport packages to Wheezy. Since you actively maintain
them, what do you think, how complex is the task to backport the
packages from jessie-backports to Wheezy?

>> I filed a bug about the dangling backport in wheezy:
>>
>>  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813843
>>
>> I wonder how best to deal with this: should the backport just be removed
>> or what?
> 
> Agreed, I think 0.9 should be either removed from the archive or
> superseeded by 1.0.x.

+1

I'm all for removing it as soon as possible from backports. We don't
need to wait for updated packages.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Re: Wheezy update of roundcube?

[Guilhem Moulin]

On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote:
> I agree, however I suspect most people using roundcube in production are
> probably using the backport... There's even a dangling backport in
> wheezy right now (0.9)... a little messy.

Sorry, I meant oldstable-backports not oldstable.  Packaging 1.0.x for
wheezy-backports sounds much easier than backporting security patches to
wheezy's 0.7.x.
 
> I filed a bug about the dangling backport in wheezy:
> 
>  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813843
> 
> I wonder how best to deal with this: should the backport just be removed
> or what?

Agreed, I think 0.9 should be either removed from the archive or
superseeded by 1.0.x.

Cheers,
-- 
Guilhem.


signature.asc
Description: PGP signature

Re: Wheezy update of roundcube?

[Antoine Beaupré]

On 2016-05-02 15:31:39, Guilhem Moulin wrote:
> Hi there,
>
> On Mon, 02 May 2016 at 21:19:13 +0200, Markus Koschany wrote:
>> Would you like to take care of this yourself?
>
> Not replying in the name of team (however I'm the one who pushed for
> Roundcube in jessie-backports and who is trying to taking care of it
> there), unfortunately I don't have the time nor energy to take care of
> an oldstable version.
>
> That being said, I think packaging the Roundcube 1.0.x (stable) branch
> would be the easiest for Wheezy.
>
> https://github.com/roundcube/roundcubemail/releases/

I agree, however I suspect most people using roundcube in production are
probably using the backport... There's even a dangling backport in
wheezy right now (0.9)... a little messy.

I filed a bug about the dangling backport in wheezy:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813843

I wonder how best to deal with this: should the backport just be removed
or what?

A.

-- 
You Are What You Is
- Frank Zappa

Re: Wheezy update of roundcube?

[Guilhem Moulin]

Hi there,

On Mon, 02 May 2016 at 21:19:13 +0200, Markus Koschany wrote:
> Would you like to take care of this yourself?

Not replying in the name of team (however I'm the one who pushed for
Roundcube in jessie-backports and who is trying to taking care of it
there), unfortunately I don't have the time nor energy to take care of
an oldstable version.

That being said, I think packaging the Roundcube 1.0.x (stable) branch
would be the easiest for Wheezy.

https://github.com/roundcube/roundcubemail/releases/

Cheers,
-- 
Guilhem.


signature.asc
Description: PGP signature