Bug#1003027: marked as done (roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content)

Sat, 08 Jan 2022 11:21:21 -0800 

Your message dated Sat, 08 Jan 2022 19:17:39 +0000
with message-id <[email protected]>
and subject line Bug#1003027: fixed in roundcube 1.3.17+dfsg.1-1~deb10u2
has caused the Debian Bug report #1003027,
regarding roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with 
malicious CSS content
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1003027: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003027
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: roundcube
Severity: important
Tags: security
Control: found -1 1.3.17+dfsg.1-1~deb10u1
Control: found -1 1.4.12+dfsg.1-1~deb11u1
Control: fixed -1 1.5.1+dfsg-1

In a recent post roundcube webmail upstream has announced a fix for a
cross-site scripting (XSS) vulnerability via HTML messages with
malicious CSS content.

Upstream fix for the 1.4 LTS branch:
https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8

There was no new 1.3 LTS release but AFAICT 1.3 is affected as well and
the same fix applies.

-- 
Guilhem.

[0] https://roundcube.net/news/2021/12/30/security-update-1.4.13-released
    https://roundcube.net/news/2021/12/30/update-1.5.2-released

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: roundcube
Source-Version: 1.3.17+dfsg.1-1~deb10u2
Done: Guilhem Moulin <[email protected]>

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 06 Jan 2022 09:04:44 +0100
Source: roundcube
Architecture: source
Version: 1.3.17+dfsg.1-1~deb10u2
Distribution: buster-security
Urgency: high
Maintainer: Debian Roundcube Maintainers 
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1003027
Changes:
 roundcube (1.3.17+dfsg.1-1~deb10u2) buster-security; urgency=high
 .
   * Backport fix for CVE-2021-46144: Fix cross-site scripting (XSS) via HTML
     messages with malicious CSS content. (Closes: #1003027)
Checksums-Sha1:
 0f40e80c8dadf9c3d025aa6016a698c6d51be627 2487 
roundcube_1.3.17+dfsg.1-1~deb10u2.dsc
 2c50b8e0a389e4f5e9b4c63d6a9fc9ca70925ebd 3055180 
roundcube_1.3.17+dfsg.1-1~deb10u2.debian.tar.xz
 c633c5bc933b914e77580fb6a8d4bcab325843b7 9339 
roundcube_1.3.17+dfsg.1-1~deb10u2_amd64.buildinfo
Checksums-Sha256:
 740e97fc765093232bbcaa7ce7610e1e4647914b0cd96299eb0c6a941333a329 2487 
roundcube_1.3.17+dfsg.1-1~deb10u2.dsc
 02df78bebf6c6d05591082ca7c7048be2fcd70faf13df0396481fe5ec0969ec5 3055180 
roundcube_1.3.17+dfsg.1-1~deb10u2.debian.tar.xz
 fdd0a30b045c37ebcd66270709d9ed6416bb70c1a6042f956d51719d1e697da3 9339 
roundcube_1.3.17+dfsg.1-1~deb10u2_amd64.buildinfo
Files:
 ee26756ff5132fb5aa1a4e84c461b2c1 2487 web optional 
roundcube_1.3.17+dfsg.1-1~deb10u2.dsc
 0f9df581dc5488882e74e62ded4c55ee 3055180 web optional 
roundcube_1.3.17+dfsg.1-1~deb10u2.debian.tar.xz
 1ee433b962c5671e25a33240f39e3d8b 9339 web optional 
roundcube_1.3.17+dfsg.1-1~deb10u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmHWxRgACgkQ05pJnDwh
pVLkgBAAr50Ah/kefUHMcVZw2g11QnXDppIBqG+RW+6w0C0VvZ+nihmIXvXYpUKu
mr4e6/hqSlZxTwHNnEZlhsG1dE5z0tA8yZyEccKeYc0EYOCXK9JCeF1H4KLmWAOj
YVdoGYQPuacPK+aqjEqFpjAd7x/CnSJXKCwN0hoA+o1UHpBQzGflqTywDxu3krgB
mmkr+6v1HfFlew92ido8qALZTOn9xFDS2iIncguutqVwabuvb2ffWHL/FnV44QAh
EMqREI74EB0zUwHO9ksVRnw1UKAWfa5isRTuQMFBLfUZRIEVapGnvCIwdZhYpITn
LS+3qF5CikbnNpww2M3Dk97Iu1cqfb0jr8RA7kQVSWhzKHDd9qrTHCWyj+2ABPDa
90O5YAJchZjo0teMZXPTRun+n27lC5C7f0DifmRF3rK+hGs2oXl1vyGmue0CtYyl
yTu2zNbn2TLHbH5XQhd6LDg7DuFj3NqS3qd+dKR0pvnUWYa15chro+tpjS/snNbc
s7SekrE5teKWLC7cyeFql7fP0vwMdbdj+DTe4iP2BS2tKwx9kVpNfv/wVm8ZTcKL
3CE6tY/4kxgg4VhvgBLdKA3IB4jv3BBL2ti4v4M5unY11QN1wiD/a5nf2/kn6Lml
qpnW7Pj8Is3LSZcgaGVGnB6EIkBHa2NMb0K8RXyefg8BUfhfT3A=
=UH8a
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to