Your message dated Sun, 26 Aug 2012 12:48:26 +0000 with message-id <e1t5cgq-00084y...@franck.debian.org> and subject line Bug#685475: fixed in roundcube 0.7.2-4 has caused the Debian Bug report #685475, regarding roundcube: CVE-2012-3508 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 685475: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685475 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: roundcube Severity: grave Tags: security Justification: user security hole This was reported on the oss-sec mailing list: Cheers, Moritz -- > 2, Issue 2a: Description: Stored XSS in e-mail body. Ticket: > http://trac.roundcube.net/ticket/1488613 Upstream patch: > https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee > > Upon code review doesn't seem to affect rcmail we ship in Fedora / > EPEL -> haven't filed RH bug for it. Could you double-check and > confirm that?, > > Issue 2b: Self XSS in e-mail body (Signature). Ticket: > http://trac.roundcube.net/ticket/1488613 Upstream patch: > https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32 > > The 'program/js/app.js' rcube_webmail() upstream change from the > patch above seems to be applicable to Fedora / EPEL rcmail > versions. Thus I have filed: > https://bugzilla.redhat.com/show_bug.cgi?id=849615 > > to track this. But not sure whole 'Self XSS in e-mail body > (Signature).' upstream patch would apply with its logic to 0.7.x > versions: https://bugzilla.redhat.com/show_bug.cgi?id=849615#c3 > > Therefore this needs review by someone more familiar with > rcube_webmail() routine code to decide if apply that patch or not. > Could you do that? Please use CVE-2012-3508 for these two issues (same version, same type of vuln so cve merge). --
--- End Message ---
--- Begin Message ---Source: roundcube Source-Version: 0.7.2-4 We believe that the bug you reported is fixed in the latest version of roundcube, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 685...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Vincent Bernat <ber...@debian.org> (supplier of updated roundcube package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 26 Aug 2012 14:20:24 +0200 Source: roundcube Binary: roundcube-core roundcube roundcube-sqlite roundcube-mysql roundcube-pgsql roundcube-plugins Architecture: source all Version: 0.7.2-4 Distribution: unstable Urgency: high Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintain...@lists.alioth.debian.org> Changed-By: Vincent Bernat <ber...@debian.org> Description: roundcube - skinnable AJAX based webmail solution for IMAP servers - metapack roundcube-core - skinnable AJAX based webmail solution for IMAP servers roundcube-mysql - metapackage providing MySQL dependencies for RoundCube roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - plugins roundcube-sqlite - transitional dummy package Closes: 685475 Changes: roundcube (0.7.2-4) unstable; urgency=high . * Fix self XSS with plain signatures. CVE-2012-3508. Closes: #685475. Checksums-Sha1: 18bd2fcfc71c76cbcc137e794f27d1eea752ed16 1633 roundcube_0.7.2-4.dsc f6332a51e065c14291307838e7d8ab857abc97ba 51853 roundcube_0.7.2-4.debian.tar.gz 8c0f1c50f60574a5a30ceb877680be3b57063f11 1026066 roundcube-core_0.7.2-4_all.deb 9590a8e18957536d1dec0d4e0011c16523a0cdae 27764 roundcube_0.7.2-4_all.deb b70a909cd2af194c53958f32791ce146f61aae60 27378 roundcube-sqlite_0.7.2-4_all.deb 0112905aa72ee2f82134e90c6d6e8795487ef720 27090 roundcube-mysql_0.7.2-4_all.deb dee7cae0ae8b698dbbd8ec124d2c20eabc96a681 27092 roundcube-pgsql_0.7.2-4_all.deb 949c009061cd9a4c7dbf76d42041d77970b7a6c0 321756 roundcube-plugins_0.7.2-4_all.deb Checksums-Sha256: 2fe378edeb95e2f81505fbe5965a99949cf5cde2f58744258241bee1d05201d9 1633 roundcube_0.7.2-4.dsc 8babaf395d6652f05d16b98ba1398302612790659209559583ab73c375545a9e 51853 roundcube_0.7.2-4.debian.tar.gz 90f935f2b1562034c2f5f87e27ed99371a0a395a178be2dbd38d56a170909b1d 1026066 roundcube-core_0.7.2-4_all.deb 3703b9bcad8712148b4ac5712e45f19ff19755d5ddb8c5f3cee2d0ce773cf5a9 27764 roundcube_0.7.2-4_all.deb 2c9956900978af8147340b030789ce645801f1fa64abe0ff86a21fd941c6f453 27378 roundcube-sqlite_0.7.2-4_all.deb 9475dbddb63d381d16a4da5b678dc921eb477d5a9a76b6bfb4f5a9281cc6b58a 27090 roundcube-mysql_0.7.2-4_all.deb a82e1e50a23cd4de7be13bc97a7e6ced7b75562f558bfad882234be6ed39bfef 27092 roundcube-pgsql_0.7.2-4_all.deb 73fd5ac4af700e0086c4359e965f41010c502688bb16ae2fc11bcbc6cc05d13a 321756 roundcube-plugins_0.7.2-4_all.deb Files: 7d1b35cf4c4de62382cef0d6b43a6031 1633 web extra roundcube_0.7.2-4.dsc 518978d5094a6de830a9d55a815f054c 51853 web extra roundcube_0.7.2-4.debian.tar.gz 52d3366fe02710b3e24f48cb4342316d 1026066 web extra roundcube-core_0.7.2-4_all.deb 38d3b957bde5604b56497ac04b1fd9a0 27764 web extra roundcube_0.7.2-4_all.deb 237458be85f7ed83bb392f3f89c42d1d 27378 oldlibs extra roundcube-sqlite_0.7.2-4_all.deb 790eda22df969688b60fef172f8544ed 27090 web extra roundcube-mysql_0.7.2-4_all.deb 238c97b10c543636e26e6d215d66c470 27092 web extra roundcube-pgsql_0.7.2-4_all.deb 07fc0ccc6090f1c7bdf5bcbfb3e51f78 321756 web extra roundcube-plugins_0.7.2-4_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlA6F/kACgkQKFvXofIqeU5l1ACfSrGyhTUFpz+hekBiMZt7Jvbl yJEAoJ2Dgl19I+UlaPXgUNkZb0pIrAeN =WV7E -----END PGP SIGNATURE-----
--- End Message ---
