Hi Markus, On 07/20/2016 01:12 PM, Markus Koschany wrote: > Hello Lucas, > > I have prepared the last update of roundcube and just had a look at your > patch. Unfortunately a proper fix for CVE-2016-4069 in Wheezy isn't as > simple as it looks like on first glance. The whole foundation to protect > against CSRF is missing. For instance the secure_url or > request_security_check functions are not implemented in your patch or in > the original version in Wheezy and without them your patch won't work. I > think a proper fix requires more backporting work. Fixing CVE-2014-9587 > should also be considered because it also deals with a CSRF > vulnerability but wasn't deemed important enough back then. > Thanks for your feedback, I am not a PHP expert and this is my first contribution in LTS team, so sorry for any problem. Do you think that worth work on CVE-2014-9587? Or should I leave this package and try to work on another one? Thanks a lot! Cheers. -- Lucas Kanashiro 8ED6 C3F8 BAC9 DB7F C130 A870 F823 A272 9883 C97C
Attachment:
signature.asc
Description: OpenPGP digital signature