Bug#1071474: marked as done (roundcube: CVE-2024-37384, CVE-2024-37383: XSS Vulnerabilities in handling lint columns and SVG animate attributes)

[Debian Bug Tracking System]

Your message dated Wed, 19 Jun 2024 18:32:09 +0000
with message-id <e1sk06l-006cjn...@fasolo.debian.org>
and subject line Bug#1071474: fixed in roundcube 1.6.5+dfsg-1+deb12u2
has caused the Debian Bug report #1071474,
regarding roundcube: CVE-2024-37384, CVE-2024-37383: XSS Vulnerabilities in 
handling lint columns and SVG animate attributes
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1071474: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071474
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: roundcube
Version: 1.6.6+dfsg-2
Severity: important
Control: found -1 1.6.5+dfsg-1~deb12u1
Control: found -1 1.4.15+dfsg.1-1~deb11u2
Control: found -1 1.3.17+dfsg.1-1~deb10u5
Tags: security upstream

Roundcube webmail upstream has recently released 1.6.7 [0] which fixes
the following vulnerabilities:

 *  Fix command injection via crafted im_convert_path/im_identify_path
    on Windows.
    
https://github.com/roundcube/roundcubemail/commit/7da322371fd00a54670a5d6679faae0fcbd3f229
 *  Fix cross-site scripting (XSS) vulnerability in handling list
    columns from user preferences.
    
https://github.com/roundcube/roundcubemail/commit/9ca8aa6680c579132e0d1fa59447df8d524ec91c
 *  Fix cross-site scripting (XSS) vulnerability in handling SVG animate
    attributes.
    
https://github.com/roundcube/roundcubemail/commit/ba252dc5e2946506cb8d0b50b2b7bf95ab51876f

AFAICT no CVE-ID has been published for these issues, I'll request them.

-- 
Guilhem.

[0] https://roundcube.net/news/2024/05/19/security-updates-1.6.7-and-1.5.7

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: roundcube
Source-Version: 1.6.5+dfsg-1+deb12u2
Done: Guilhem Moulin <guil...@debian.org>

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1071...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <guil...@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 17 Jun 2024 03:15:26 +0200
Source: roundcube
Architecture: source
Version: 1.6.5+dfsg-1+deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Roundcube Maintainers 
<pkg-roundcube-maintain...@alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guil...@debian.org>
Closes: 1071474
Changes:
 roundcube (1.6.5+dfsg-1+deb12u2) bookworm-security; urgency=high
 .
   * Fix CVE-2024-37384: Cross-site scripting (XSS) vulnerability in handling
     list columns from user preferences. (Closes: #1071474)
   * Fix CVE-2024-37383: Cross-site scripting (XSS) vulnerability in handling
     SVG animate attributes. (Closes: #1071474)
Checksums-Sha1:
 e8cc80b71eec63b0c2b5e7cf27ef41095b848a76 3833 
roundcube_1.6.5+dfsg-1+deb12u2.dsc
 511d1e49430325080dee0f0609867a51fcab751c 106828 
roundcube_1.6.5+dfsg-1+deb12u2.debian.tar.xz
 2df601443d160f778975f368253fbf10f09339f5 14186 
roundcube_1.6.5+dfsg-1+deb12u2_amd64.buildinfo
Checksums-Sha256:
 c6bed34b68f5a2fd74a5c4c64b9bf3a95dc62f5d5fa2e9f605dac9d07cdb21f2 3833 
roundcube_1.6.5+dfsg-1+deb12u2.dsc
 3e280f45ad975ccd4c76f906855fd8fefd7002be6e5f9a0ef9840a9d5b867649 106828 
roundcube_1.6.5+dfsg-1+deb12u2.debian.tar.xz
 761cebd71c64793cefe4159d6f60c8cbe12145890fa2041ec356708730bbcaef 14186 
roundcube_1.6.5+dfsg-1+deb12u2_amd64.buildinfo
Files:
 4c648a484d1ee9ad0977f4055bec949f 3833 web optional 
roundcube_1.6.5+dfsg-1+deb12u2.dsc
 14ad2cf851fdde3afdbc48bf3684bc43 106828 web optional 
roundcube_1.6.5+dfsg-1+deb12u2.debian.tar.xz
 798b6b0dca335cac47318759530cb99d 14186 web optional 
roundcube_1.6.5+dfsg-1+deb12u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmZvj40ACgkQ05pJnDwh
pVIgyg//fwcu1k3CSbSchs11IY2RbQ03W+F6Mx5u5moiq+Fm/hkZLsHnGTGyGC3R
oySkMMV05qltwTEDZp5KVqlMfXPb1oYzioWq0BuodFOw3N6hi2MiEVe2sh/g2+n8
15WcLM1i4egkodL15/fu7qE+3spHXxvSoGta7wP3tdmZMuVXEpblpwisLs1Yo/oD
aBqMapAWH68eERksYBczh3Q5w48TUQltj2SY1R1sOoJmZwLiGCgXTlXEYdhQEPcP
U5HO4YHP6v17wAPwPRHkbDtCeII3qfN1VzErL91qX/d9H6pf4wmsoc8MaQIYjhxX
WcSWRGMCtJWdhWBpDWHrm/67bdwEgJ0rcfzgvrjdq6jzJLjsNq9ZuTFXQxWCsMGb
wD8qPe/ZHEmOSw8YUw8glcTgbCDCspVYs9WqBHpyC+5pwNSL5bHQbK578/5vWdwP
Qmi1vsnnRVYqBpyZWab542fO7uTMQ9ufuCP+r7mQPK9YIu3ulKEpa4V7lQo1dqKS
82KkJ0LZjf3cqGDJgHZrzr7Y+iie1DWRLLfE9THH6HrO6+Y9USaXfFbbU36yp2UF
DboLbUVGOzzKZxXPA9k3F0x1OrHFuZwslECvpc9/B2SU7cvwFvYxz5G4loMl3EcD
UyX8TKnwJAKSjV+Rp9KPT/kYp9oaQJDVlMheviYr5zHaIqszrbY=
=GvvK
-----END PGP SIGNATURE-----

pgpLaWSXNFq0S.pgp
Description: PGP signature

--- End Message ---