[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content

Hi Guilhem,

On 12/01/2022 16:07, Guilhem Moulin wrote:
On Wed, 12 Jan 2022 at 15:48:51 +0100, Sylvain Beucler wrote:
On 12/01/2022 14:15, Guilhem Moulin wrote:
Thanks for the update. Go ahead and upload to stretch-security, and I'll
publish the DLA accordingly :)

Uploaded to security-master, thank you!

DLA-2878-1 is sent to the mailing list and www.d.o :)

(out of curiosity, was there an issue with keeping the
"$this->config['charset']" bit from the original patch?)

Ah yeah, forgot to mention that bit :-)  There was no issue as far as I
could tell.  I don't have a strong opinion either way, but given
htmlspecialchars()'s optional 3rd argument was added for 1.4-beta in
I decided to drop it for stretch- and buster-security uploads.

Thanks for the precision.

Sylvain Beucler
Debian LTS Team

Reply to: