saucy has seen the end of its life and is no longer receiving any
updates. Marking the saucy task for this ticket as "Won't Fix".
** Changed in: roundcube (Ubuntu Saucy)
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Sorry, I don't have enough knowledge of Roundcube to figure out the
relevant fixes for CVE-2013-5645, which was fixed in Debian by updating
the package to 0.9.4-1. CVE-2013-6172 was fixed with
https://github.com/roundcube/roundcubemail/commit/70c7df8faa5a9023a2773dc5a38932f1ad3a84aa
applied on top
David, thanks for the debiff, however it contains the full changeset
from 0.9.2-2 to 0.9.5-1. For this issue to be fixed, you'll want to
cherrypick the patches fixing the security issues and resubmit a debdiff
with only these changes by following
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedure
I created a debdiff of the changes between 0.9.2-2 and 0.9.5-1. I had a
look through the upstream git repository, but it was a bit difficult to
find the specific commits that fixed the CVEs. Looking through the
upstream changelog, it seems that there were mostly bugfixes between the
0.9.2 and 0.9.5
0.9.5-1 is currently in Ubuntu 14.04.
** Changed in: roundcube (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1256293
Title:
Please sync roundcube from Debi
Following
https://wiki.ubuntu.com/SyncRequestProcess#Content_of_a_sync_request
Changelog entries since 0.9.2-2:
roundcube (0.9.4-1.1) unstable; urgency=high
* Non-maintainer upload.
* Add CVE-2013-6172.patch patch.
CVE-2013-6172: An attacker can overwrite configuration settings using
