Your message dated Fri, 16 Dec 2016 11:48:53 +
with message-id
and subject line Bug#847287: fixed in roundcube 1.2.3+dfsg.1-1
has caused the Debian Bug report #847287,
regarding roundcube: CVE-2016-9920: Remote command execution via malicious
email composing
to be marked as done.
This means
On Thu, 08 Dec 2016 at 19:46:32 +0100, Reiner Buehl wrote:
> Sorry if I ask a stupid question, but do I understand correct, that if I
> have 1.1.5+dfsg.1-1~bpo8+2 installed, then the fix is applied?
That's correct, cf.
https://anonscm.debian.org/cgit/pkg-roundcube/roundcube.git/commit/?h=deb
Sorry if I ask a stupid question, but do I understand correct, that if I
have 1.1.5+dfsg.1-1~bpo8+2 installed, then the fix is applied?
Best regards,
Reiner
Hi,
> What about wheezy / wheezy-backports? Are these packages affected too?
Yes. Am updating wheezy now with my "LTS" hat on and issuing the
corresponding DLA. :)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
On Wed, 07 Dec 2016 12:16:14 +0100 Vincent Bernat
wrote:
> ⦠7 décembre 2016 12:08 +0100, Guilhem Moulin  :
>
> >> Is the tag for debian/1.1.5+dfsg.1-1_bpo8+1? The diff for it is pretty
> >> big.
> >
> > 1.1.5+dfsg.1-1_bpo8+1 is the current version from jessie-backports (since
> > April 29).
❦ 7 décembre 2016 12:08 +0100, Guilhem Moulin :
>> Is the tag for debian/1.1.5+dfsg.1-1_bpo8+1? The diff for it is pretty
>> big.
>
> 1.1.5+dfsg.1-1_bpo8+1 is the current version from jessie-backports (since
> April 29). The diff between 1.1.5+dfsg.1-1_bpo8+1 and 1.1.5+dfsg.1-1_bpo8+2
> is mer
On Wed, 07 Dec 2016 at 11:55:50 +0100, Vincent Bernat wrote:
> ❦ 7 décembre 2016 11:27 +0100, Guilhem Moulin :
>
Unfortunately 1.2.x has many dependencies that aren't in
jessie-backports yet. I personally don't have the time nor energy to
maintain said dependencies, so we asked b
❦ 7 décembre 2016 11:27 +0100, Guilhem Moulin :
>>> Unfortunately 1.2.x has many dependencies that aren't in
>>> jessie-backports yet. I personally don't have the time nor energy to
>>> maintain said dependencies, so we asked backports folks for an exception
>>> to stick to 1.1.x for the bpo v
On Wed, 07 Dec 2016 at 07:46:06 +0100, Vincent Bernat wrote:
> ❦ 7 décembre 2016 00:30 +0100, Guilhem Moulin :
>
>>> Version: 1.1.4+dfsg.1-1~bpo8+1
>>> […]
>>> So probably it is important to update to upstream version 1.2.3
>>
>> Unfortunately 1.2.x has many dependencies that aren't in
>> jessie
Hey,
we are discussing how we should handle the security issue for roundcube. It
has currently now CVE it is tracked as:
TEMP-0847287-64604E on security.debian.org
or #847287 on BTS
Because we should not upload a new 1.1.X version to bpo, we thought to only
push an update that fixes only this i
❦ 7 décembre 2016 00:30 +0100, Guilhem Moulin :
>> Version: 1.1.4+dfsg.1-1~bpo8+1
>> […]
>> So probably it is important to update to upstream version 1.2.3
>
> Unfortunately 1.2.x has many dependencies that aren't in
> jessie-backports yet. I personally don't have the time nor energy to
> main
Hi,
On Wed, Dec 07, 2016 at 12:30:42AM +0100, Guilhem Moulin wrote:
> Hi,
>
> On Tue, 06 Dec 2016 at 23:05:59 +, Juan Rossi wrote:
> > Version: 1.1.4+dfsg.1-1~bpo8+1
> > […]
> > So probably it is important to update to upstream version 1.2.3
>
> Unfortunately 1.2.x has many dependencies that
Hi
I guess if package 1.2.3 cannot be back ported to jessie due dependencies
issues, and there is no exception that would leave jessie users to backport
manually to 1.1.7 that includes the fix
https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-released
Issue it is quite severe, I wond
Hi,
On Tue, 06 Dec 2016 at 23:05:59 +, Juan Rossi wrote:
> Version: 1.1.4+dfsg.1-1~bpo8+1
> […]
> So probably it is important to update to upstream version 1.2.3
Unfortunately 1.2.x has many dependencies that aren't in
jessie-backports yet. I personally don't have the time nor energy to
main
Package: roundcube
Version: 1.1.4+dfsg.1-1~bpo8+1
Severity: grave
Tags: upstream security
Justification: user security hole
Dear Maintainer,
I am reporting this as it is quite important as testing and unstable versions
of roundcube are affected (and even all the backports offered, which hopefull
15 matches
Mail list logo
