Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#1052059: roundcube: Please apply security fix from 1.6.3

1 view
Skip to first unread message

Martin Dosch

unread,
Sep 16, 2023, 2:50:05 PM9/16/23
to
Package: roundcube
Severity: normal
Tags: upstream

Dear Maintainer,

upstream released version 1.6.3 which fixes a security issue with the
1.6.x and I kindly ask you to apply the fix for the version in debian
stable.

https://roundcube.net/news/2023/09/15/security-update-1.6.3-released

Best regards,
Martin

-- System Information:
Debian Release: 12.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-12-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages roundcube depends on:
ii dpkg 1.21.22
pn roundcube-core <none>

roundcube recommends no packages.

roundcube suggests no packages.
signature.asc

Martin Dosch

unread,
Sep 17, 2023, 3:10:04 AM9/17/23
to
Dear maintainer,

actually I chose a high priority for this issue but reportbug reduced severity to normal. Maybe someone could increase it to an appropriate severity.

Best regards,
Martin

Guilhem Moulin

unread,
Sep 18, 2023, 8:10:05 AM9/18/23
to
I requested a CVE ID for this issue.

--
Guilhem.
signature.asc

Guilhem Moulin

unread,
Sep 22, 2023, 4:10:05 AM9/22/23
to
Control: retitle -1 roundcube: CVE-2023-43770: XSS vulnerability in handling of linkrefs in plain text messages

On Mon, 18 Sep 2023 at 13:59:47 +0200, Guilhem Moulin wrote:
> I requested a CVE ID for this issue.

CVE-2023-43770 for this. I'll suggest debdiffs targetting {bullseye,bookworm}-
security after the week-end.

--
Guilhem.
signature.asc

Guilhem Moulin

unread,
Sep 22, 2023, 4:20:05 AM9/22/23
to
On Fri, 22 Sep 2023 at 10:56:59 +0300, Guilhem Moulin wrote:
> I'll suggest debdiffs targetting {bullseye,bookworm}-security after
> the week-end.

Oh, didn't see the Security Team tagged this as no-dsa. Will target
{bullseye,bookworm} then.

--
Guilhem.
signature.asc

Guilhem Moulin

unread,
Sep 28, 2023, 11:40:05 AM9/28/23
to
On Thu, 28 Sep 2023 at 18:26:07 +0300, Martin Dosch via Pkg-roundcube-maintainers wrote:
> Are there plans to also upload it to stable-pu?

See #1052629

--
Guilhem.
0 new messages