[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of roundcube

On 20.07.2016 18:51, Lucas Kanashiro wrote:
> Hi Markus,
> On 07/20/2016 01:12 PM, Markus Koschany wrote:
>> Hello Lucas,
>> I have prepared the last update of roundcube and just had a look at your
>> patch. Unfortunately a proper fix for CVE-2016-4069 in Wheezy isn't as
>> simple as it looks like on first glance. The whole foundation to protect
>> against CSRF is missing. For instance the secure_url or
>> request_security_check functions are not implemented in your patch or in
>> the original version in Wheezy and without them your patch won't work. I
>> think a proper fix requires more backporting work. Fixing CVE-2014-9587
>> should also be considered because it also deals with a CSRF
>> vulnerability but wasn't deemed important enough back then.
> Thanks for your feedback, I am not a PHP expert and this is my first
> contribution in LTS team, so sorry for any problem. Do you think that
> worth work on CVE-2014-9587? Or should I leave this package and try to
> work on another one?
> Thanks a lot!
> Cheers.


Feel free to work on everything you like. Fixing CVE-2014-9587 together
with CVE-2016-4069 isn't strictly required but you could probably reuse
some of your work if you try to tackle these issue. In any case the
whole CSRF complex requires much more work IMO and unless you are
already familiar with Roundcube and PHP it might not be the right
package to start with. It's up to you.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: