[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of roundcube?

On 09.06.2016 09:45, Brian May wrote:
> Adrian Zaugg <adi@ente.limmat.ch> writes:
>> I would vote for a backported 1.0.x version or rather remove 0.7 than 0.9.
> I couldn't find 1.0.x in Debian, so tried version 1.1.5+dfsg.1-1~bpo8+1
> from jessie-backports instead.
> Unfortunately it needs a newer version of libjs-jquery then what is
> available in Wheezy:


I just had a closer look at the vulnerabilities. I have marked
CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
the vulnerable code is not present in this version. There is no upstream
fix available for CVE-2016-4086.

That leaves us with CVE-2015-8864 and CVE-2016-4096 whereby the latter
needs more investigation. Some affected plugins don't exist in Wheezy,
the rest of the code is quite different.

If you agree I intend to fix the two CVEs shortly. At the moment I think
a backport is not necessary.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: