Bug#1077969: marked as done (roundcube: CVE-2024-42008, CVE-2024-42009, CVE-2024-42010: XSS and information leak vulnerabilities)

Wed, 14 Aug 2024 13:37:27 -0700 

Your message dated Wed, 14 Aug 2024 20:36:17 +0000
with message-id <e1sekjb-00fmtw...@fasolo.debian.org>
and subject line Bug#1077969: fixed in roundcube 1.4.15+dfsg.1-1+deb11u4
has caused the Debian Bug report #1077969,
regarding roundcube: CVE-2024-42008, CVE-2024-42009, CVE-2024-42010: XSS and 
information leak vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1077969: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077969
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: roundcube
Version: 1.6.7+dfsg-1
Severity: important
Found: -1 1.4.15+dfsg.1-1+deb11u3
Found: -1 1.6.5+dfsg-1+deb12u2
Tags: upstream security

Roundcube webmail upstream has recently released 1.6.8 [0] which fixes
the following vulnerabilities:

 * CVE-2024-42008: XSS vulnerability in serving of attachments other
   than HTML or SVG
   
https://github.com/roundcube/roundcubemail/commit/89c8fe9ae9318c015807fbcbf7e39555fb30885d
 * CVE-2024-42009: XSS vulnerability in post-processing of sanitized
   HTML content
   
https://github.com/roundcube/roundcubemail/commit/68af7c864a36e1941764238dac440ab0d99a8d26
 * CVE-2024-42010: information leak (access to remote content) via
   insufficient CSS filtering
   
https://github.com/roundcube/roundcubemail/commit/602d0f566eb39b6dcb739ad78323ec434a3b92ce

-- 
Guilhem.

[0] https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: roundcube
Source-Version: 1.4.15+dfsg.1-1+deb11u4
Done: Guilhem Moulin <guil...@debian.org>

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1077...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <guil...@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 08 Aug 2024 23:48:56 +0200
Source: roundcube
Architecture: source
Version: 1.4.15+dfsg.1-1+deb11u4
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Roundcube Maintainers 
<pkg-roundcube-maintain...@alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guil...@debian.org>
Closes: 1077969
Changes:
 roundcube (1.4.15+dfsg.1-1+deb11u4) bullseye-security; urgency=high
 .
   * Fix CVE-2024-42008: Cross-site scripting (XSS) vulnerability in serving of
     attachments other than HTML or SVG.
   * Fix CVE-2024-42009: Cross-site scripting (XSS) vulnerability in
     post-processing of sanitized HTML content. (Closes: #1077969)
   * Fix CVE-2024-42010: Information leak (access to remote content) via
     insufficient CSS filtering.
   * Backport upstream fix for infinite loop when parsing malformed Sieve
     script.
Checksums-Sha1:
 b1c02113680293fd3574e9271687a8aa5e881e13 3276 
roundcube_1.4.15+dfsg.1-1+deb11u4.dsc
 85e881df2b3d93da3081c588eeeb752880ce8da4 109876 
roundcube_1.4.15+dfsg.1-1+deb11u4.debian.tar.xz
 d37902dc53bd9b9c0dc1c335e5a29c7d68818b54 10857 
roundcube_1.4.15+dfsg.1-1+deb11u4_amd64.buildinfo
Checksums-Sha256:
 9ad8f09e42c6cbfa0cc8dc3b4338c4a70b85fa7a35a19801c12e490ff0c8f6a8 3276 
roundcube_1.4.15+dfsg.1-1+deb11u4.dsc
 eeca2d679fe36aa08ff9099dcc33cb2ccf1ce2f2880f8f351ed5697a71fabeb6 109876 
roundcube_1.4.15+dfsg.1-1+deb11u4.debian.tar.xz
 d57903b078e666179fc5452f23f1b117ae9ad0d14456a43beec462455165eb49 10857 
roundcube_1.4.15+dfsg.1-1+deb11u4_amd64.buildinfo
Files:
 c679031b681d45f6439cc8f054f07127 3276 web optional 
roundcube_1.4.15+dfsg.1-1+deb11u4.dsc
 68c1d74d0406df79b80c4207f961bd98 109876 web optional 
roundcube_1.4.15+dfsg.1-1+deb11u4.debian.tar.xz
 cfa7811aca3fef6d28589048ff7369c6 10857 web optional 
roundcube_1.4.15+dfsg.1-1+deb11u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAma33QsACgkQ05pJnDwh
pVJGYQ/8CmLFYito5UrsYR/E0oAxfIfvr/zFD/HWaWa5DpYOGwmUfEr42bXQJ9aB
QOPZhJIpyvESU2tbec0dlUdxB6MlVXge1Oe/JWAD/nMCwarVzWvwAyuRimoV8BLX
sBgK0LT8ETxZKywTEgDIf/GLRM1O/yD85p8CLypHzhq26lgMI96tw5QJP1MGNeEq
KTAMI+WqKlbKkdXKq6n/QRVK2jkzhmIUr4fVkgTUz4vXltdjbl2heh4kyyFZFtZv
Bs7VaHMVnFBH4abjPphiNkqPIwvITvvedyEWGIIkM+jIh166NDz8aYc2doNERNbO
2mR/E+P1e0D+vF134zc/XCnLVZhhQqopTpjCCPNvCHLaEVl2WGUYvaoLNDGqXZUd
5UcsIZHmq945EFsKx9CFP/0iN2utDw6QDK+GG0XeVptxDByfJr6WNAca9e9p92am
b6vcFTR5OgxU0BmDGYwy0ZWfpFzGkjIvOP25gUEZ83ltauT3PvEUNxAE4NPP+YO9
fmFbc66wxhESiPpz6JzjXl8jcfhA8Wu+D3cotX5FZujER4QkNZ4FAgR2Xw3fCDET
yyQoJtSQJA1sl7DFS3PATlgF3HSsosbZ+BLVlgzDC0fa/z3E3+uhey2Ky3+ZsbYq
+WmhbJjoOOuMBQS1w6b7lXAHE8YIQolT6tARfZvF945xN4yv7Lo=
=0fNh
-----END PGP SIGNATURE-----

Attachment: pgpFr5hzzEWtD.pgp
Description: PGP signature


--- End Message ---

Reply via email to