-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 13 Jul 2009 14:27:31 +0200 Gerfried Fuchs <rho...@deb.at> wrote:
> ... which, in the case of this bugreport, is done. 0.1.1-9 did fix > CVE-2008-5619 for etch-backports, so it rather seems to me that > Benjamin got some things mixed up, unless the claimed patch in that > upload wasn't complete. Maybe this isn't really about CVS-2008-5616, but that's hard to say from my logs. All I saw was POST's to roundcube-0.1.1-10~bpo40+2's admittedly horrible html2text.php and the same symptoms as reported for http://trac.roundcube.net/ticket/1485618 (i.e. file uploads and shell access as www-data). > Would be great to get things straightened out. Benjamin, do you claim > the package in etch-bpo affected by this bug and the fix to be > incomplete, or what's the deal? I'm especially puzzled by your > original version you reported it again to be 0.2.2-1 which is by far > close to anything that's in bacports - or way over the version that > it was fixed in already. Do you claim by that that the patch got > removed again, or were you just puzzled? > Debian bugreport is way to fancy for me: I reported a bug in roundcube-0.1.1-10~bpo40+2, while I already had 0.2.2-1 installed on that machine. Apparently this bug didn't get retagged in your bugzilla (?) incarnation. Thanks, Benjamin -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) iEYEARECAAYFAkpbLvYACgkQVj4CPF3kbQzxggCfd9Mq1ebrFKGcQEpnwNPrX4os gt4AnAo/mt3KGgD4RSCkE34vIDpJKTD9 =5j4W -----END PGP SIGNATURE-----
