Re: [SECURITY] [DSA 3541-1] roundcube security update
On Wed, Apr 6, 2016 at 2:08 AM, donoban wrote: > Of course I would like to help Some links to ways you can help with Debian security: https://security-tracker.debian.org/tracker/data/report https://www.debian.org/security/audit/ https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security https://www.debian.org/security/ https://wiki.debian.org/Hardening https://wiki.debian.org/Hardening/RepoAndImages https://wiki.debian.org/Hardening/Goals -- bye, pabs https://wiki.debian.org/PaulWise
Re: [SECURITY] [DSA 3541-1] roundcube security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 05/04/16 17:01, Sébastien Delafond wrote: > There are *many* things to be taken care of security-wise in > Debian, but the Security Team will always gladly review "easy" > backports if you find time to provide them. > > Cheers, > > --Seb > Sorry, I did not mean to offend and I am very grateful to the collaborators of Debian and also to the Security Team. I started to worry about security some months ago, and one of my first decisions was trust Debian instead Fedora (which is default distribution used on Qubes OS). Before installing Qubes OS / Debian I was an Ubuntu user (obviously not a security oriented decision) and I was registered to Ubuntu security list although I did not read it very often. In this months I have started to read Ubuntu's USN's and to see the CVE they were fixing, and then I compared it with Debian and I am very very proud of my decision to trust Debian. Some CVE's are fixed even years before! I would like to know if three months is a reasonable time for fix a problem like this, if packages in testing / backports are more likely to have a higher delay than main / contrib... Of course I would like to help, and probably I will migrate all my Roundcube installations to jessie-backports package when there is a newer version (now I prefer to don't touch anything). But I want to know if there is something different with a Iceweasel/Icedove, linux or ssh problem and roundcube. If some problem with the firsts is more likely to be fixed faster... Regards and ty for your work. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXA/8tAAoJEBQTENjj7QilFKoP/iZApgVqDOQWX8DiVPVyYl/s wUzNOHNIvVEUKACDWrBMA/2NrC5gS8b+WNFNhRDBYINLX9KiCo2tbkAM4W5n/WMg myp2zs1ngwqIQmljvKAKWHGn7rE1cTAOuCZvepbh2riQo9uFjfQ2QWZYv5roimHr UiuMM+iTmurEBovoLybNLNtb4ddqQC/l9MlT46plC0YZf3E7yGhs3C4+pt/neQvP PTNMO3YIZC7Dbf0ReQoy221O3HQ+BXSg1p23yTEqcSnEN8ITo/Ag5jUlLqtpLoEg 6NuxxFOMdayntDcYbn+ksNtLY7r7Xv7BRoTin86Fc5VaBV+Ny3i/Jccy15/3Or85 7A2ZKeLcIxJxgRMCUsMNvPhMwMv7mQ3sqgsPm4OeuhLUz4kp/cGorliQpWV5lx5D t776/0IHM6PMbHmtv60CnLh5eRcaFiHifLeh0JvcwMZ39yd3bEauxURHJTeGLby/ An5wCuip+4FF8jA+a1GK6sDoqcbPvSrKJmlmlpipLNoN5Epu/Kpldqljdm7dY/DZ QB28iUHTDCEPmkv0l3WfcJ/N+QDWEBbrrCdDq3BGpSZSrq8/RSqSceC28iYpnIWD IFOirgYcuySDciaLcKPFoKdfdCm9zsFRqM/TG4D2bjBdx0bodGdj7inmKdjglboe 3nPQ6nzMaTj6benUM2A9 =jLKm -END PGP SIGNATURE-
Re: [SECURITY] [DSA 3541-1] roundcube security update
On 2016-04-05, donoban wrote: > Why this took so long? Roundcube team fixed this 2015-12-26: > > https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released > > And it also seems a easy fix to backport: > > https://github.com/roundcube/roundcubemail/commit/10e5192a2b1bc90ec137f5e69d0aa072c1210d6d > > I am asking because I am currently using upstream Roundcube version > but I was decided to switch to jessie-backports when I have to upgrade it. There are *many* things to be taken care of security-wise in Debian, but the Security Team will always gladly review "easy" backports if you find time to provide them. Cheers, --Seb
Re: [SECURITY] [DSA 3541-1] roundcube security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 05/04/16 10:57, Sebastien Delafond wrote: > - > > Debian Security Advisory DSA-3541-1 secur...@debian.org > https://www.debian.org/security/ Sebastien > Delafond April 05, 2016 > https://www.debian.org/security/faq > - > > Package: roundcube CVE ID : CVE-2015-8770 > > High-Tech Bridge Security Research Lab discovered that Roundcube, > a webmail client, contained a path traversal vulnerability. This > flaw could be exploited by an attacker to access sensitive files on > the server, or even execute arbitrary code. > > For the oldstable distribution (wheezy), this problem has been > fixed in version 0.7.2-9+deb7u2. > > For the testing (stretch) and unstable (sid) distributions, this > problem has been fixed in version 1.1.4+dfsg.1-1. > > We recommend that you upgrade your roundcube packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-annou...@lists.debian.org > Why this took so long? Roundcube team fixed this 2015-12-26: https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released And it also seems a easy fix to backport: https://github.com/roundcube/roundcubemail/commit/10e5192a2b1bc90ec137f5e69d0aa072c1210d6d I am asking because I am currently using upstream Roundcube version but I was decided to switch to jessie-backports when I have to upgrade it. Regards. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXA5z3AAoJEBQTENjj7Qil1xMP/jvdwnHiup6pbYgt3l1yhOwi lKvPmgU+Ke5TLzj9kGg7kXwEADIBp82rV4RhLueDpLePrCEPHeOLgECnjSSA5JW0 DFONaGnLASAdSZN3hyBvTf7DTyvDo7NvgQdNfGTycpINlkhPjRBN3gTjBoimbU1l eKjDUfMLfiJtfuYcr2jq1kDmTJ43ZXwKWYc63gOFrGf88TxJlYrqlABfKSxVV3en NBddqGKxPwxTiD1eLisStO1UWsKILqja9OX7wAIN77JduniH5pyGObASWy7E7iv/ +4t1Kmim/7CqGmnWOqQBwBaLVBbD2hf0SURyETx0dyZqnHuOunWcgccMozhDUL9/ e2SAHeqP3Via2jyleV+iU3wUHFvX9Z+CBoZ0kjF3wKhVk2isRgytW968vuh4UbG6 liVYzjTpLVmS1JW7y499SWaPXjON51AyrGF9J8P4YHY2rGB6ntU7S/ail3Vq55x+ XQxzw3UL2ay9X19D+iPdCsFnf86lHxux6hGFt0D59Fo+GaZrRYGl4gIH+e2SPadZ hC73dkfzMaUiUvFkrAubXqaF93JN4xhtelsER2I47BenDFOUPF4LyEcu8PppMHau DwyuHT8F2bFZhGpky6opEBncLv56w1davbWCO2lpbPyI3OENARMg3CTpX3f3osY0 TC4Ro+GRTg16D5co8XaD =j6f7 -END PGP SIGNATURE-