Re: Wheezy update of roundcube

To: Raphael Hertzog <hertzog@debian.org>, Markus Koschany <apo@debian.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Wheezy update of roundcube
From: Ola Lundqvist <ola@inguza.com>
Date: Wed, 7 Sep 2016 10:07:41 +0200
Message-id: <[🔎] CABY6=0nNcAe4MP533_DQQVF6QgeLU6n9wAb6LW38awRRB5NQHQ@mail.gmail.com>
In-reply-to: <[🔎] 20160906161329.fceyyo67mmpat6bd@home.ouaza.com>
References: <de6f8222-a824-85b9-aee7-27ac42d41e88@debian.org> <0abd1222-c953-621b-7b57-b11fbc3377c0@debian.org> <23e15add-e2b5-6fa8-d6b0-06ad285ab69d@debian.org> <9fbb1c6f-4db8-96cc-ad7d-35af5359ed85@debian.org> <[🔎] 20160906161329.fceyyo67mmpat6bd@home.ouaza.com>

Hi

If you are sure CVE-2016-4068 is mitigated then we should be able to
mark it as fixed.
But you need to be sure. :-)

// Ola

On Tue, Sep 6, 2016 at 6:13 PM, Raphael Hertzog <hertzog@debian.org> wrote:
> Hi Markus,
>
> On Wed, 20 Jul 2016, Markus Koschany wrote:
>> Feel free to work on everything you like. Fixing CVE-2014-9587 together
>> with CVE-2016-4069 isn't strictly required but you could probably reuse
>> some of your work if you try to tackle these issue. In any case the
>> whole CSRF complex requires much more work IMO and unless you are
>> already familiar with Roundcube and PHP it might not be the right
>> package to start with. It's up to you.
>
> It was indeed a non-trivial amount of work... but the attached patch
> fixes CVE-2016-4069 according to my tests (i.e. downloads requests
> without _token do fail).
>
> On thursday I will see if I can deal with CVE-2014-9587 as well.
>
> Then there's https://security-tracker.debian.org/tracker/CVE-2016-4068
> you left it open but it's mitigated since one cannot view SVG files.
> There is a patch available now
> (https://github.com/roundcube/roundcubemail/commit/a1fdb205f824dee7fd42dda739f207abc85ce158)
> but I'm not sure it's worth the effort of the backport. Because
> backporting this patch would also require backporting the real
> fix for https://security-tracker.debian.org/tracker/CVE-2015-8864
> which is also rather involved.
>
> Thus I'm tempted to just mark the CVE-2016-4068 as fixed with your DLA-537-1.
>
> What do you think?
>
> I just spent 5 hours just for the attached patch...
>
> Cheers,
> --
> Raphaël Hertzog ◈ Debian Developer
>
> Support Debian LTS: http://www.freexian.com/services/debian-lts.html
> Learn to master Debian: http://debian-handbook.info/get/



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Reply to:

References:
- Re: Wheezy update of roundcube
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Re: testing php5 for Wheezy LTS
Next by Date: Re: Wheezy update of icu?
Previous by thread: Re: Wheezy update of roundcube
Next by thread: Re: Wheezy update of roundcube
Index(es):
- Date
- Thread