On 20.07.2016 18:51, Lucas Kanashiro wrote: > Hi Markus, > > > On 07/20/2016 01:12 PM, Markus Koschany wrote: >> Hello Lucas, >> >> I have prepared the last update of roundcube and just had a look at your >> patch. Unfortunately a proper fix for CVE-2016-4069 in Wheezy isn't as >> simple as it looks like on first glance. The whole foundation to protect >> against CSRF is missing. For instance the secure_url or >> request_security_check functions are not implemented in your patch or in >> the original version in Wheezy and without them your patch won't work. I >> think a proper fix requires more backporting work. Fixing CVE-2014-9587 >> should also be considered because it also deals with a CSRF >> vulnerability but wasn't deemed important enough back then. >> > > Thanks for your feedback, I am not a PHP expert and this is my first > contribution in LTS team, so sorry for any problem. Do you think that > worth work on CVE-2014-9587? Or should I leave this package and try to > work on another one? > > Thanks a lot! > Cheers. Hi, Feel free to work on everything you like. Fixing CVE-2014-9587 together with CVE-2016-4069 isn't strictly required but you could probably reuse some of your work if you try to tackle these issue. In any case the whole CSRF complex requires much more work IMO and unless you are already familiar with Roundcube and PHP it might not be the right package to start with. It's up to you. Cheers, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature