Re: roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content
On 12/01/2022 16:07, Guilhem Moulin wrote:
On Wed, 12 Jan 2022 at 15:48:51 +0100, Sylvain Beucler wrote:
On 12/01/2022 14:15, Guilhem Moulin wrote:
Thanks for the update. Go ahead and upload to stretch-security, and I'll
publish the DLA accordingly :)
Uploaded to security-master, thank you!
DLA-2878-1 is sent to the mailing list and www.d.o :)
(out of curiosity, was there an issue with keeping the
"$this->config['charset']" bit from the original patch?)
Ah yeah, forgot to mention that bit :-) There was no issue as far as I
could tell. I don't have a strong opinion either way, but given
htmlspecialchars()'s optional 3rd argument was added for 1.4-beta in
I decided to drop it for stretch- and buster-security uploads.
Thanks for the precision.
Debian LTS Team