Your message dated Mon, 14 Mar 2022 00:06:38 +0000 with message-id <e1ntyeq-000iri...@fasolo.debian.org> and subject line Bug#1003027: fixed in roundcube 1.6~beta+dfsg-1 has caused the Debian Bug report #1003027, regarding roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1003027: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003027 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: roundcube Severity: important Tags: security Control: found -1 1.3.17+dfsg.1-1~deb10u1 Control: found -1 1.4.12+dfsg.1-1~deb11u1 Control: fixed -1 1.5.1+dfsg-1 In a recent post roundcube webmail upstream has announced a fix for a cross-site scripting (XSS) vulnerability via HTML messages with malicious CSS content. Upstream fix for the 1.4 LTS branch: https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8 There was no new 1.3 LTS release but AFAICT 1.3 is affected as well and the same fix applies. -- Guilhem. [0] https://roundcube.net/news/2021/12/30/security-update-1.4.13-released https://roundcube.net/news/2021/12/30/update-1.5.2-released
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: roundcube Source-Version: 1.6~beta+dfsg-1 Done: Guilhem Moulin <guil...@debian.org> We believe that the bug you reported is fixed in the latest version of roundcube, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1003...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guilhem Moulin <guil...@debian.org> (supplier of updated roundcube package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 14 Mar 2022 00:16:05 +0100 Source: roundcube Architecture: source Version: 1.6~beta+dfsg-1 Distribution: experimental Urgency: medium Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintain...@alioth-lists.debian.net> Changed-By: Guilhem Moulin <guil...@debian.org> Closes: 1000642 1003027 Changes: roundcube (1.6~beta+dfsg-1) experimental; urgency=medium . * New beta upstream release. Highlights for major version 1.6 include: - Full PHP 8.1 support (closes: #1000642) - Unified and simplified services connection options: . renamed `default_host` resp. `smtp_server` to `imap_host` resp. `smtp_host` . removed `default_port`, `smtp_port`, `managesieve_port` and `managesieve_usetls` options - The classic and larry skins are no longer included in the upstream repository hence are excluded from this source package; we will ship in separate packages. * Add d/roundcube-core.NEWS to highlight the above. * Update default value for roundcube/hosts template to "localhost:143" to match the upstream default. * Update d/copyright. * Update d/sql. * Refresh d/patches. Remove the following patches (now obsolete or applied upstream): - fix-FTBFS-with-phpunit-8.patch - fix-file-list-in-phpunit-configuration.patch - fix-FTBFS-with-phpunit-9.patch * Add patch to fix `$rcmail->format_date(.., 'x')` calls. * Remove mismatched Lintian override. * Add 'Restrictions: rw-build-tree' to the phpunit DEP-8 test as it writes into tests/.phpunit.result.cache. * Add aspell-en and php-pspell to Build-Depends (unless under 'nocheck' build profile) and DEP-8 test to test Framework_SpellcheckerPspell. * Add hunspell-en-us and php-enchant to Build-Depends (unless under 'nocheck' build profile) and DEP-8 test to test Framework_SpellcheckerEnchant. * Add php-roundcube-rtf-html-php to Build-Depends (unless under 'nocheck' build profile) and DEP-8 test to test Framework_TnefDecoder. * Add php-bacon-qr-code to Build-Depends (unless under 'nocheck' build profile) and DEP-8 test to test Actions_Contacts_Qrcode. * d/rules, d/t/control: Mark flaky tests as such and run phpunit with `--exclude-group=flaky --fail-on-skipped` in build-time and DEP-8 tests. * CI: Disable piuparts which is bound to fail due to the schema upgrade. * d/rules: Replace '$(dir $@)' with '$(@D)'. . roundcube (1.5.2+dfsg-1) unstable; urgency=medium . * New upstream bugfix & security release (closes: #1003027). Checksums-Sha1: c08eacebcb679e3a89235c96fdcd86d31c9adcaf 3820 roundcube_1.6~beta+dfsg-1.dsc 2c624157a719e669cfceb8bad36dfae26895c37d 220752 roundcube_1.6~beta+dfsg.orig-tinymce-langs.tar.xz b273871574a7fc8df73501c05500e7f7e4a5e097 1858372 roundcube_1.6~beta+dfsg.orig-tinymce.tar.xz 32bc866e1b7707b0f4a05ed673b6558db7ce302a 2739560 roundcube_1.6~beta+dfsg.orig.tar.xz f2be4c3648df36b210a563d8ca2902220ddf5b95 93916 roundcube_1.6~beta+dfsg-1.debian.tar.xz 9a6554181457149a5b749498430a23e09edd16e7 13352 roundcube_1.6~beta+dfsg-1_amd64.buildinfo Checksums-Sha256: ef2f7ee191bfe9d23a45811180d2870dcc03c9e13a6cb862d2e69ff048d6499f 3820 roundcube_1.6~beta+dfsg-1.dsc 65832c34e8f47df2e6392b98b0c4868e3e0ff3c3ffd3b2af42471b0fd22bc50e 220752 roundcube_1.6~beta+dfsg.orig-tinymce-langs.tar.xz c44c83ec9f64daa3f09c4be1db728f0cbc74870c58bcc768a27aad49b409622a 1858372 roundcube_1.6~beta+dfsg.orig-tinymce.tar.xz ebe1d8b568bea8c7a365bf96920b1a88d6c35c6fa0d24583c985968a74300d30 2739560 roundcube_1.6~beta+dfsg.orig.tar.xz 1a8311a06d8655d7bc1b9ff57f0b0b89e489d4067960f40578aa98239c3b7252 93916 roundcube_1.6~beta+dfsg-1.debian.tar.xz 017c45f1168da12bcb6daa8ad9007e178fb4cb1082ab376cadb963cd42aaeec6 13352 roundcube_1.6~beta+dfsg-1_amd64.buildinfo Files: 3e36d5c15b1426019437f850c5ac82b3 3820 web optional roundcube_1.6~beta+dfsg-1.dsc aab335b8120455291187689d6d2372a1 220752 web optional roundcube_1.6~beta+dfsg.orig-tinymce-langs.tar.xz 136b6c37f73db70c0364fce4f9cddc2b 1858372 web optional roundcube_1.6~beta+dfsg.orig-tinymce.tar.xz d38e21ec5feec612cf8949e28919c8b4 2739560 web optional roundcube_1.6~beta+dfsg.orig.tar.xz d9defe17bdfe574648ef767b8193949f 93916 web optional roundcube_1.6~beta+dfsg-1.debian.tar.xz 97dd54a0269aebbf8398b4372166bdf9 13352 web optional roundcube_1.6~beta+dfsg-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmIue8UACgkQ05pJnDwh pVLqSBAAo7JIpy3UJiudu5N9RdnKyE912qHw5auB+nEJc3vl+0VkXden7ckpFzej jkY+BHwih+j4jI1vIYsd941jMmvmbPUdqihWqJVCbOv2FFXJ1ERBvaTTEzET8XNo iZoLebwNpD/swnmB+rn+QB8ACkxnV10BGQxN8hm/qJO/zpa4Ts+rgnoeyG5BW388 ch1zFucXNgRrLVid1evsHgKiKq95aquzGFSzi8U/L5jV9Xzzt52s4WjdYNrIaCjI mCPigAF9WbP+L4rVc5Yjj7PxhRL11JIOSp05iB6QuHwlf8pDQNhT7n9SLOqEsi7B GwjE8v/U7jFwCYff5Ketiy9YhFMG9izxwL/q3xhJI5Rybs5+VmStM7Tiph7lNKL/ aKBsRbRwdjnHtqzvj/W1Y4dAhTCnKErKQ+5QB+bqF/LzRucoEbjSEKZDoKzy9FG8 pSHKWRXSpVg7QLDBpI+TQ52wB5V58Fs7PLP6NuYtH0bBIuB4RV2+u06x4r6xIGF0 AFoeSgi2Z+N23XqyPdHeWDdz569swPZxQoRULwqewcsvMULJ7xcxWBq8H3lcTYLp x6XGDEzituLqFryBURTGkdyxTlrk4FfIIH+NFbxXpqZ53y8B/omjs6IC138l8yQw RXriyvemDJIG5QtzaUpv61mAQoZMxYizzVDPfiYybZCyOPUYFa8= =zj/X -----END PGP SIGNATURE-----
--- End Message ---
