During the month of August 2024 and on behalf of Freexian, I worked on the
following:
roundcube
---------
Uploaded 1.3.17+dfsg.1-1~deb10u7 to buster-security resp.
1.4.15+dfsg.1-1+deb11u4 to bullseye-security, and issued ELA-1170-1 for
* CVE-2024-42008: XSS in serving of attachments other than HTML or SVG.
* CVE-2024-42009: XSS in post-processing of sanitized HTML content.
* CVE-2024-42010: information leak (access to remote content) due to
insufficient CSS filtering.
Unlike bullseye and later, the version found in buster(-security) did
not run the upstream test suite (phpunit unit tests) at run time. Doing
that now would be too intrusive (new build dependencies, d/rules changes)
but tests for 1.3.17 along with the unit tests for security patches were
backported in a separate branch.
dovecot
-------
Prepared 1:2.3.13+dfsg1-2+deb11u2 (bullseye-security), 1:2.3.4.1-5+deb10u8
(bullseye-security) and 1:2.2.27-3+deb9u8 (stretch-security) for
* CVE-2024-23184: Having a large number of address headers (From, To, Cc, Bcc,
etc.) could become excessively CPU intensive.
* CVE-2024-23185: Very large headers can cause resource exhaustion when
parsing message.
The packages will be uploaded shortly and DLA/ELAs will follow.
/other/
-------
File bug #1078760 against autopkgtest (running autopkgtest-build-qemu on
trixie/sid produces unbootable images for bullseye LTS and older suites) and
submit trivial patch.
Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature