[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of roundcube

On 20.07.2016 16:33, Lucas Kanashiro wrote:
> I tested the upgrade of the previous version to this one and it worked.
> I did some tests, but if you could review it I'll appreciate.
> After your feedback I can upload it or leave it up to you.
> Thank you very much.

Hello Lucas,

I have prepared the last update of roundcube and just had a look at your
patch. Unfortunately a proper fix for CVE-2016-4069 in Wheezy isn't as
simple as it looks like on first glance. The whole foundation to protect
against CSRF is missing. For instance the secure_url or
request_security_check functions are not implemented in your patch or in
the original version in Wheezy and without them your patch won't work. I
think a proper fix requires more backporting work. Fixing CVE-2014-9587
should also be considered because it also deals with a CSRF
vulnerability but wasn't deemed important enough back then.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: