Hi Guilhem, On 12/01/2022 16:07, Guilhem Moulin wrote:
On Wed, 12 Jan 2022 at 15:48:51 +0100, Sylvain Beucler wrote:On 12/01/2022 14:15, Guilhem Moulin wrote: Thanks for the update. Go ahead and upload to stretch-security, and I'll publish the DLA accordingly :)Uploaded to security-master, thank you!
DLA-2878-1 is sent to the mailing list and www.d.o :)
(out of curiosity, was there an issue with keeping the "$this->config['charset']" bit from the original patch?)Ah yeah, forgot to mention that bit :-) There was no issue as far as I could tell. I don't have a strong opinion either way, but given htmlspecialchars()'s optional 3rd argument was added for 1.4-beta in https://github.com/roundcube/roundcubemail/commit/73ea8f94d01a87c3b9e83c96d1b795ca27151f16 I decided to drop it for stretch- and buster-security uploads.
Thanks for the precision. Cheers! Sylvain Beucler Debian LTS Team