Your message dated Sat, 10 Aug 2024 17:33:19 +0000
with message-id <e1scpxv-00blrg...@fasolo.debian.org>
and subject line Bug#1077969: fixed in roundcube 1.6.5+dfsg-1+deb12u3
has caused the Debian Bug report #1077969,
regarding roundcube: CVE-2024-42008, CVE-2024-42009, CVE-2024-42010: XSS and
information leak vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1077969: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077969
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: roundcube
Version: 1.6.7+dfsg-1
Severity: important
Found: -1 1.4.15+dfsg.1-1+deb11u3
Found: -1 1.6.5+dfsg-1+deb12u2
Tags: upstream security
Roundcube webmail upstream has recently released 1.6.8 [0] which fixes
the following vulnerabilities:
* CVE-2024-42008: XSS vulnerability in serving of attachments other
than HTML or SVG
https://github.com/roundcube/roundcubemail/commit/89c8fe9ae9318c015807fbcbf7e39555fb30885d
* CVE-2024-42009: XSS vulnerability in post-processing of sanitized
HTML content
https://github.com/roundcube/roundcubemail/commit/68af7c864a36e1941764238dac440ab0d99a8d26
* CVE-2024-42010: information leak (access to remote content) via
insufficient CSS filtering
https://github.com/roundcube/roundcubemail/commit/602d0f566eb39b6dcb739ad78323ec434a3b92ce
--
Guilhem.
[0] https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: roundcube
Source-Version: 1.6.5+dfsg-1+deb12u3
Done: Guilhem Moulin <guil...@debian.org>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1077...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guil...@debian.org> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 06 Aug 2024 16:02:54 +0200
Source: roundcube
Architecture: source
Version: 1.6.5+dfsg-1+deb12u3
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Roundcube Maintainers
<pkg-roundcube-maintain...@alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guil...@debian.org>
Closes: 1077969
Changes:
roundcube (1.6.5+dfsg-1+deb12u3) bookworm-security; urgency=high
.
* Cherry pick upstream security fixes from v1.6.8 (closes: #1077969):
+ CVE-2024-42008: Cross-site scripting (XSS) vulnerability in serving of
attachments other than HTML or SVG.
+ CVE-2024-42009: Cross-site scripting (XSS) vulnerability in
post-processing of sanitized HTML content.
+ CVE-2024-42010: Fix information leak (access to remote content) via
insufficient CSS filtering.
* Cherry pick further upstream changes from v1.6.8:
+ Fix fatal error when parsing some TNEF attachments.
+ Fix bug where an unhandled exception was caused by an invalid image
attachment.
+ Fix infinite loop when parsing malformed Sieve script.
+ Fix bug where imap_conn_option's 'socket' was ignored.
Checksums-Sha1:
745d8202211278dff06f4206d06f9a62e1929c8a 3833
roundcube_1.6.5+dfsg-1+deb12u3.dsc
ab7db7a6805b1892ece174c3ea011df9c0c607ca 119360
roundcube_1.6.5+dfsg-1+deb12u3.debian.tar.xz
fc151fed1d0261a1d752380fc32aa35acc6b6dff 14215
roundcube_1.6.5+dfsg-1+deb12u3_amd64.buildinfo
Checksums-Sha256:
05dc579c8ae58dcde33c90501eada1b259ce5faefa2357cdf1cdb6a8d51a946f 3833
roundcube_1.6.5+dfsg-1+deb12u3.dsc
e8a60d68e4def4ce034aca3dc3fd59f67185a98f408329155565985e7d638e6f 119360
roundcube_1.6.5+dfsg-1+deb12u3.debian.tar.xz
29acd0c922ffde454739088d88f13a17fadb48a200a341bab0e1f7ccd784f44e 14215
roundcube_1.6.5+dfsg-1+deb12u3_amd64.buildinfo
Files:
061ad7c1808273d438dfc7f77d953135 3833 web optional
roundcube_1.6.5+dfsg-1+deb12u3.dsc
db41a1315aea78b3c2300192b7e878cd 119360 web optional
roundcube_1.6.5+dfsg-1+deb12u3.debian.tar.xz
d2ae2bb5c4b6ba9788a72de5d92f4a3e 14215 web optional
roundcube_1.6.5+dfsg-1+deb12u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmayLsAACgkQ05pJnDwh
pVL2mxAAt+6z7rXfuNSOjklv29W+cssixDgpne+QqWuFVFKKTYAsVZ7AvcXSb1uf
p+H01ZCW+GVLz0Z+ms1v+xqOlkVbxAVrhmnOrSOwbrlAEGjJG+limoLXm0ySi2fF
/OHsMXQpMwz+tMBvXj6RM25FzTeI8T015DHhIrDhIl/bgaa0pfeQV1VPmLSpTro4
zCsl36V9AneX2c8AH8jN4iwj7ZzVOjaCqwyauZBIJ+JCnJoCP+NadQqLYLrhM2yG
F5Q3ouEROtallIGdmq/c9S5d/WwCshpjUu0s23xGo+ACrdMKPIIqHxS5TXmKMyvM
7sbEgL1QzKAAmA2SSr3K4yG5xNy9T4BRHcOQLgyv7BG01W2SB9fTIn2YhrmFaMXh
Cx9sUYHxZsI2Kx8ip1O7/KXTbfS6pJjVKcOO7gJYvvKdBYtVR+G8WqRxLI5u0vgw
YN87Z59M+kQGiBMeCTCh2vf3HB7sPWqKcQDQz0bfZv/VdAsF6XYI7r/Lgi5ps/jZ
773CnvpVil4Wv3zskQAZVbhmpt99VMnkEyzCVk04kWruMQAcagGM+cqoswTqT5Ge
OA+5SAKGkKo1vkX5to6zCIjhs8lkpCki89fSM1ZqRcjw+6qiw5qgBUZpqPoi+sMn
L1b0Tdy7I7kp45heZnE2ZXqsbEBIl31yiyk4EKknbcktEIRq0c0=
=Oro8
-----END PGP SIGNATURE-----
pgpW4f8MPm3On.pgp
Description: PGP signature
--- End Message ---
