[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of roundcube

Hi Markus,

On 07/20/2016 01:12 PM, Markus Koschany wrote:
> Hello Lucas,
> I have prepared the last update of roundcube and just had a look at your
> patch. Unfortunately a proper fix for CVE-2016-4069 in Wheezy isn't as
> simple as it looks like on first glance. The whole foundation to protect
> against CSRF is missing. For instance the secure_url or
> request_security_check functions are not implemented in your patch or in
> the original version in Wheezy and without them your patch won't work. I
> think a proper fix requires more backporting work. Fixing CVE-2014-9587
> should also be considered because it also deals with a CSRF
> vulnerability but wasn't deemed important enough back then.

Thanks for your feedback, I am not a PHP expert and this is my first
contribution in LTS team, so sorry for any problem. Do you think that
worth work on CVE-2014-9587? Or should I leave this package and try to
work on another one?

Thanks a lot!

Lucas Kanashiro
8ED6 C3F8 BAC9 DB7F C130  A870 F823 A272 9883 C97C

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: