Your message dated Tue, 29 Oct 2013 21:17:39 +0000 with message-id <e1vbgft-0001kz...@franck.debian.org> and subject line Bug#727668: fixed in roundcube 0.7.2-9+deb7u1 has caused the Debian Bug report #727668, regarding roundcube: CVE-2013-6172: vulnerability in handling _session argument of utils/save-prefs to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 727668: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727668 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: roundcube Severity: grave Tags: security upstream patch fixed-upstream Hi, the following vulnerability was published for roundcube. CVE-2013-6172[0]: vulnerability in handling _session argument of utils/save-prefs See [1] for further information. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6172 http://security-tracker.debian.org/tracker/CVE-2013-6172 [1] http://roundcube.net/news/2013/10/21/security-updates-095-and-087/ [2] http://trac.roundcube.net/ticket/1489382 Please adjust the affected versions in the BTS as needed (not yet verified if also roundcube in oldstable/squeeze is affected). Do you have a chance to prepare packages also for wheezy-security (and squeeze-security if affected)? Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: roundcube Source-Version: 0.7.2-9+deb7u1 We believe that the bug you reported is fixed in the latest version of roundcube, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 727...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated roundcube package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 26 Oct 2013 00:24:14 +0200 Source: roundcube Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql roundcube-plugins Architecture: source all Version: 0.7.2-9+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintain...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Description: roundcube - skinnable AJAX based webmail solution for IMAP servers - metapack roundcube-core - skinnable AJAX based webmail solution for IMAP servers roundcube-mysql - metapackage providing MySQL dependencies for RoundCube roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - plugins Closes: 727668 Changes: roundcube (0.7.2-9+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2013-6172.patch patch. CVE-2013-6172: An attacker can overwrite configuration settings using user preferences. This can result in random file access, manipulated SQL queries and even code execution. (Closes: #727668) Checksums-Sha1: 5617671afaaf2f81395fffece9d78ee8179ec86b 2247 roundcube_0.7.2-9+deb7u1.dsc 81f3e5057c7bd2175318cfc261615c032afa4235 2197455 roundcube_0.7.2.orig.tar.gz 75bffb477d3c327ff2b769af1ddeae0e94972132 54657 roundcube_0.7.2-9+deb7u1.debian.tar.gz 5a65e945ae621dd9d2710460e1910946edcccd85 1028892 roundcube-core_0.7.2-9+deb7u1_all.deb e7210c52a03a61984da73a2bb2bee24a261a63e6 27766 roundcube_0.7.2-9+deb7u1_all.deb 4b96fca81b10c3cc3b7689bea4f6e27926f2b187 27700 roundcube-mysql_0.7.2-9+deb7u1_all.deb 92416f0d0fa1adc482bdf37349cba3ae40203b11 27700 roundcube-pgsql_0.7.2-9+deb7u1_all.deb 1478c97e6536775fa7d0fe5463a3173063976626 320664 roundcube-plugins_0.7.2-9+deb7u1_all.deb Checksums-Sha256: db2050a301ada0d14eda38374aeace0e7975b058738a3a72c5c374c0b4896e3c 2247 roundcube_0.7.2-9+deb7u1.dsc e14955243b5c31317c3cfd568579399819aefa659e051735b67fceda784331e2 2197455 roundcube_0.7.2.orig.tar.gz 71923e4d0d8cc01e61da7e08b02fe297016ea7d6e7e64eda385365a352829b81 54657 roundcube_0.7.2-9+deb7u1.debian.tar.gz 53ae945a0bbf606dcf6d1b5579deaf951cc303e37bfd77d1bb85861db2fb7299 1028892 roundcube-core_0.7.2-9+deb7u1_all.deb 44dd851e9358dab6ed2645f8619343fb23be690feeed285dfe8f516d823263a7 27766 roundcube_0.7.2-9+deb7u1_all.deb f2613edfa37d1222bbfe9010ca0f0e90cc4f17c9d2e3e8fff998d7e097677a53 27700 roundcube-mysql_0.7.2-9+deb7u1_all.deb c1b5dd30c33bbe2ba29ffa177230d30514bed6d384dce82839cf5d1fe0a1fd3f 27700 roundcube-pgsql_0.7.2-9+deb7u1_all.deb ef16f3042b223a4fb1ee8dbc46bccd33fd607c57a2d177ab86fc7ef6058d92e3 320664 roundcube-plugins_0.7.2-9+deb7u1_all.deb Files: 7de50b5c41e34ed054947e4aece924fb 2247 web extra roundcube_0.7.2-9+deb7u1.dsc 2b77fe823de00a7ebd85b8919e40d78d 2197455 web extra roundcube_0.7.2.orig.tar.gz 003c1a0eeaadc689b20d7866fdca6f35 54657 web extra roundcube_0.7.2-9+deb7u1.debian.tar.gz 908c7df5904ff62502ce66c51cc58a3b 1028892 web extra roundcube-core_0.7.2-9+deb7u1_all.deb 8f651e4838128fec40ce611a306ac629 27766 web extra roundcube_0.7.2-9+deb7u1_all.deb ba44fbd834798781560b4fd1b96ce79b 27700 web extra roundcube-mysql_0.7.2-9+deb7u1_all.deb 3fda7c3c7205d9645638f78346911498 27700 web extra roundcube-pgsql_0.7.2-9+deb7u1_all.deb 9f3c8f5247ffd69da5863c28092c890a 320664 web extra roundcube-plugins_0.7.2-9+deb7u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSbEMEAAoJEAVMuPMTQ89EFWEP/3+45MsM5RvrKLc6WU9PqfHQ A2uJWcakSZNdfOKioo00aY7d0bTp/uxbNR37khZfwkqzJCS9nc2NyyG/UMFj6TkE iaJmN40Nw9e04yylKJX/OLbldsJd5O/wGfrYCKLzvY+vYoFh7mSr3QeP/saAXpFJ p4T49iIxULsNp0D8dNJ1QwpwnLsiCj4uD66BJ1VNBfOQkEjGID69Zjc1RZR7V0DK z/wIshZ+6LP+YylG/2XFuMyv232vc34HEfZFXh6dgwt4f3XBz7DLTTBfUzFGiadX ok/QjnjITtX6HFdI5Zyi56EU+mnbmW+CZIgowP/RUV5trX2OD8/mX+8Mgcx/trPb RXj+ZOPWAvzSmyjOENjQcHhT39Oa/dbjWy8ViWWGLnAV67Djl00V5cNYihyG4pw5 +f6WUdZsUYBXtjtDUggXzaNhbkCI60zdaMwujMjyjAUoviIoMVM8J3ynkm7v92qJ a9dS92njxMA0ufffQnE1lay3JvaZ7bRluJVDvAFBLKxCkT0hZqOR4G4/ZgJXs/FQ qxPxmXfp95qxXXqn7/1aWsjdTKokEQD+oodduIDVBxrRZZaK+y9Re+lq6yCY4+iy hW5ynPGm9SjE8Ee+gAp7G4cTLDSFXrXqZKEebxZmdnsQTNuyKVUvatH4taupX39w oomEkKSO9Nzo4VAwAhTS =4SIn -----END PGP SIGNATURE-----
--- End Message ---
