Your message dated Mon, 29 Nov 2021 18:17:25 +0000 with message-id <[email protected]> and subject line Bug#1000156: fixed in roundcube 1.3.17+dfsg.1-1~deb10u1 has caused the Debian Bug report #1000156, regarding roundcube: XSS vulnerability in handling attachment filename extension in MIME type mismatch warnings to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1000156: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000156 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: roundcube Severity: important Tags: security Control: found -1 1.3.16+dfsg.1-1~deb10u1 Control: found -1 1.4.11+dfsg.1-4 Control: fixed -1 1.5.0+dfsg.1-1 In a recent post roundcube webmail upstream has announced the following security fixes: * Fix XSS issue in handling attachment filename extension in mimetype mismatch warning * Fix possible SQL injection via some session variables sid/bookworm's 1.5.0+dfsg.1-2 is not affected. Upstream fixes for LTS branches: 1.4.x https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1 1.3.x https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7 https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa -- Guilhem. [0] https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-released
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: roundcube Source-Version: 1.3.17+dfsg.1-1~deb10u1 Done: Guilhem Moulin <[email protected]> We believe that the bug you reported is fixed in the latest version of roundcube, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guilhem Moulin <[email protected]> (supplier of updated roundcube package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Nov 2021 19:52:34 +0100 Source: roundcube Architecture: source Version: 1.3.17+dfsg.1-1~deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Roundcube Maintainers <[email protected]> Changed-By: Guilhem Moulin <[email protected]> Closes: 1000156 Changes: roundcube (1.3.17+dfsg.1-1~deb10u1) buster-security; urgency=high . * New bugfix/security upstream release (closes: #1000156), with fixes for: + CVE-2021-44025: XSS issue in handling attachment filename extension in mimetype mismatch warning; and + CVE-2021-44026: possible SQL injection via some session variables. * Refresh d/patches. * Refresh d/upstream/signing-key.asc. * d/gbp.conf: Rename upstream branch to upstream/release-1.3. Checksums-Sha1: 60dec2e7f716f676620b39092d0542ee6896c35c 2487 roundcube_1.3.17+dfsg.1-1~deb10u1.dsc 049b02152dc5e7a640fbc5e9ea59ac374c235298 2186304 roundcube_1.3.17+dfsg.1.orig.tar.xz ed2717075cda99eb7383cd84d64e43fcf8c6bbb7 3054684 roundcube_1.3.17+dfsg.1-1~deb10u1.debian.tar.xz a1d08aa29bd5515a5688297a00059b1e32504422 9339 roundcube_1.3.17+dfsg.1-1~deb10u1_amd64.buildinfo Checksums-Sha256: 07d4b520e36900c5ac213da5f93aa44c81e7c02a340a0f2a0c940db33242be4b 2487 roundcube_1.3.17+dfsg.1-1~deb10u1.dsc de5fa96b2e5fb9c6584e06c7dea6f959dcd5f24950cf22f2125f1da1450ef3cb 2186304 roundcube_1.3.17+dfsg.1.orig.tar.xz f72cd55bc0e6f822350e5635d96d881764886b601c2857172ddea852d1306e92 3054684 roundcube_1.3.17+dfsg.1-1~deb10u1.debian.tar.xz 149a1612336afa7b5db1f0a5ca929e13376ce38f6b26edd9a6731ed762c11ded 9339 roundcube_1.3.17+dfsg.1-1~deb10u1_amd64.buildinfo Files: 430dddff4b3c764ed7593f2fc8833a81 2487 web optional roundcube_1.3.17+dfsg.1-1~deb10u1.dsc d6e1afb06f95297460a0cecc43c5ec17 2186304 web optional roundcube_1.3.17+dfsg.1.orig.tar.xz 1f087b1bf713c6a294ecefc415573da8 3054684 web optional roundcube_1.3.17+dfsg.1-1~deb10u1.debian.tar.xz 2981ccd2e0122d64ae97b5e463af43c3 9339 web optional roundcube_1.3.17+dfsg.1-1~deb10u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmGfucEACgkQ05pJnDwh pVKvYhAAoXcJbkpR9yda6luqrsJmavzv305C/Oqd878dO4fig1wX6NL+/76S2jyW l9bH+AHmLZp3AYuWpSHeTwXcyz6is9rlMQao9zSMyqlJiJqVcAyaOLvVX3CTrtB5 1Oez7T7f5bBAW46hgzzfSrPQB+PCxpmaOYxHtcbW8sLFzpV/Lxwk4iiM31cv7gQ2 Ljvk3nKSxPrkfGtPsGGaXjGRUZ+fl3lodNbc3oUuvEm6K4gEPkwO7xYEOfHtyBU2 pihXdzNJUtdRgHyw7gftZMxgxcdcFrvxA58ZpEDdSvRlbLIYZ9o5sAkKXnJxJk9e DJcPFJYsZFOlmUwWbU1uPQ/0bUe1bUZCHliTOOJ5hSiKXARNVP5Bd3iHEhaWQbUS JPoYzBaYIeMNeLNzInGozkiJaEVZIvZSQROdd/wbQNvfKF9YvLA1iQLReZFOJdJx 9RDdVxbJtC0iFYBOc+mGXnovM4k2L6e31nJ3bZoFFNQZIrlwYTPwB3GePasIiXvL 7or2NK0juZyMaWi6lqnmPKKN1GMOL6ZhAt2xbrihQW05zuuk9Zt0Hy4nnjMt19vF 37ae4uELptZaC0rCLroCy7orfV1vMMCL05IXiXSSsAMA7U10AHiDC48Ywh7yhukq hsbCaHLsuaCvtpXjD5aNmkNykVCcCVPTe270U67U4nGA+jVXvq4= =POFN -----END PGP SIGNATURE-----
--- End Message ---
