Bug#1071474: marked as done (roundcube: CVE-2024-37384, CVE-2024-37383: XSS Vulnerabilities in handling lint columns and SVG animate attributes)

[Debian Bug Tracking System]

Your message dated Wed, 19 Jun 2024 18:33:37 +0000
with message-id <e1sk07l-006csl...@fasolo.debian.org>
and subject line Bug#1071474: fixed in roundcube 1.4.15+dfsg.1-1+deb11u3
has caused the Debian Bug report #1071474,
regarding roundcube: CVE-2024-37384, CVE-2024-37383: XSS Vulnerabilities in 
handling lint columns and SVG animate attributes
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1071474: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071474
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: roundcube
Version: 1.6.6+dfsg-2
Severity: important
Control: found -1 1.6.5+dfsg-1~deb12u1
Control: found -1 1.4.15+dfsg.1-1~deb11u2
Control: found -1 1.3.17+dfsg.1-1~deb10u5
Tags: security upstream

Roundcube webmail upstream has recently released 1.6.7 [0] which fixes
the following vulnerabilities:

 *  Fix command injection via crafted im_convert_path/im_identify_path
    on Windows.
    
https://github.com/roundcube/roundcubemail/commit/7da322371fd00a54670a5d6679faae0fcbd3f229
 *  Fix cross-site scripting (XSS) vulnerability in handling list
    columns from user preferences.
    
https://github.com/roundcube/roundcubemail/commit/9ca8aa6680c579132e0d1fa59447df8d524ec91c
 *  Fix cross-site scripting (XSS) vulnerability in handling SVG animate
    attributes.
    
https://github.com/roundcube/roundcubemail/commit/ba252dc5e2946506cb8d0b50b2b7bf95ab51876f

AFAICT no CVE-ID has been published for these issues, I'll request them.

-- 
Guilhem.

[0] https://roundcube.net/news/2024/05/19/security-updates-1.6.7-and-1.5.7

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: roundcube
Source-Version: 1.4.15+dfsg.1-1+deb11u3
Done: Guilhem Moulin <guil...@debian.org>

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1071...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <guil...@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 17 Jun 2024 04:10:38 +0200
Source: roundcube
Architecture: source
Version: 1.4.15+dfsg.1-1+deb11u3
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Roundcube Maintainers 
<pkg-roundcube-maintain...@alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guil...@debian.org>
Closes: 1071474
Changes:
 roundcube (1.4.15+dfsg.1-1+deb11u3) bullseye-security; urgency=high
 .
   * Fix CVE-2024-37384: Cross-site scripting (XSS) vulnerability in handling
     list columns from user preferences. (Closes: #1071474)
   * Fix CVE-2024-37383: Cross-site scripting (XSS) vulnerability in handling
     SVG animate attributes. (Closes: #1071474)
Checksums-Sha1:
 63537f4308ec2fea363281fc8cca725d7b673449 3273 
roundcube_1.4.15+dfsg.1-1+deb11u3.dsc
 9c9758bf5abc09cad5493589bcbe37b6065ad67b 99048 
roundcube_1.4.15+dfsg.1-1+deb11u3.debian.tar.xz
 23bc01f4d1d47aeba4acfd4efa1fe2b9f687cf52 10856 
roundcube_1.4.15+dfsg.1-1+deb11u3_amd64.buildinfo
Checksums-Sha256:
 298482d58d7959aa3d24ed6c794dd46e6b81be2393297372fc568bc0892f958c 3273 
roundcube_1.4.15+dfsg.1-1+deb11u3.dsc
 8961ad4d22bdd8fd3e5794ab1e6dcf6b3304a041e158e282aff336fee1d3bcb4 99048 
roundcube_1.4.15+dfsg.1-1+deb11u3.debian.tar.xz
 cfec233c743053217a84f65c7561a4b3bd930d2946c1b06cb066fd8c387f3bd0 10856 
roundcube_1.4.15+dfsg.1-1+deb11u3_amd64.buildinfo
Files:
 2877a20877ca35acae6a1f14978ac45e 3273 web optional 
roundcube_1.4.15+dfsg.1-1+deb11u3.dsc
 a537c5a274f48383fba4a276f5c603c0 99048 web optional 
roundcube_1.4.15+dfsg.1-1+deb11u3.debian.tar.xz
 730de6ea9bfa896049b9dde3e249c594 10856 web optional 
roundcube_1.4.15+dfsg.1-1+deb11u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmZvnWcACgkQ05pJnDwh
pVLMNg/8DiFNGDh+jyVE+G0ehwpJjx69LeHyCnfGQkZVuK/gAhoR6V1SNOo/8MMW
fkKnRpvKV6dOMWc4nH7hwUjYqqA1zC7/XGRXD7wIdK/QariGOkW2cw6VX0APQiE6
otMnWNfi/dN0csGfcJODchiSaDaFZhmTb6NkSPi3a++R9RydD9ZOiP2lAWMLdzCQ
Xpz5sQEYz1qORBmjACjVGMFt5LC7EdDkbHk7SqU3SOk2D1E+niY/t0e+544898Uc
6mt7yl6IHuW5Jy6k/JSNv4BlTLYZRvesvu8T9VJEiyt0Rr42yQBmr2aweBvSAzBS
sI+V1hh1AmEJ0cTWYA8uBe/Og87stw01FjcWgSXs4wayLVVeBDFbkmyS1lueSeg9
mM0Xxm11pxIoC87QB7J8zuRmve3uFQZu4KNC5ciY32dWghz0epy6FK0eY/CYZaI5
v5+6DOoRlL/XruQked45FAXHr3KjbvNCNUYFqijH+uv2Ip/R9dFqQMUHkd3aUJuJ
GR0ZiaAUogsk3m+39zIx/KIAhgAV3lcp6GOK+WtLcQ0tHbGaQ/Hto0WJ5OSMdlwA
RLEX1VMYWYgvPBk2UPqHT5wr4/Ya5R7OvDjWLDEtUwaUNEb+fSIEqh3Oiff2hNZq
Ue+odix8HQXLUjdzXh4Ums7QRlVXmiXD5mjcEmsxHc04ti5g3+I=
=duMs
-----END PGP SIGNATURE-----

pgpz9XSubSqgY.pgp
Description: PGP signature

--- End Message ---