[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of roundcube?

On 20.06.2016 10:56, Brian May wrote:
> Brian May <bam@debian.org> writes:
>> Markus Koschany <apo@debian.org> writes:
>>> I just had a closer look at the vulnerabilities. I have marked
>>> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
>>> the vulnerable code is not present in this version. There is no upstream
>>> fix available for CVE-2016-4086.
>>> That leaves us with CVE-2015-8864 and CVE-2016-4096 whereby the latter
>>> needs more investigation. Some affected plugins don't exist in Wheezy,
>>> the rest of the code is quite different.
>>> If you agree I intend to fix the two CVEs shortly. At the moment I think
>>> a backport is not necessary.
>> Not sure if you were asking me or the mailing list, however no
>> objections from me. I say go ahead and do it.
> Did you still want to do this?

Yes, it is done but I haven't found the time to properly test it yet. I
expect an announcement this month.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: