Your message dated Sat, 18 Jul 2020 13:07:00 +0100 with message-id <b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.camel@adam-barratt.org.uk> and subject line Closing requests for fixes included in 9.13 point release has caused the Debian Bug report #964456, regarding stretch-pu: package roundcube/1.2.3+dfsg.1-4+deb9u6 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 964456: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964456 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package roundcube/1.2.3+dfsg.1-4+deb9u6
- From: Guilhem Moulin <guilhem@debian.org>
- Date: Tue, 7 Jul 2020 16:00:11 +0200
- Message-id: <[🔎] 20200707140011.GA844322@debian.org>
Package: release.debian.org Severity: normal Tags: stretch User: release.debian.org@packages.debian.org Usertags: pu Hi there, In a recent post roundcube webmail upstream has announced the following security fix: CVE-2020-15562: Prevent cross-site scripting (XSS) via HTML messages with malicious svg/namespace. This is tracker as #964355. The security team gave the green light for an upload of 1.3.14+dfsg.1-1~deb10u1 to buster-security, but suggested to target old-p-u for stretch. stretch currently has 1.2.3+dfsg.1-4+deb9u3 wwhile stretch-security and stretch-pu have 1.2.3+dfsg.1-4+deb9u5. Both debdiffs attached. unblock roundcube/1.2.3+dfsg.1-4+deb9u6 cheers -- Guilhem.diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1 changelog | 8 ++++++++ patches/CVE-2020-15562.patch | 33 +++++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 42 insertions(+) diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog --- roundcube-1.2.3+dfsg.1/debian/changelog 2020-06-09 13:46:01.000000000 +0200 +++ roundcube-1.2.3+dfsg.1/debian/changelog 2020-07-06 16:14:59.000000000 +0200 @@ -1,3 +1,11 @@ +roundcube (1.2.3+dfsg.1-4+deb9u6) stretch; urgency=high + + * Backport security fix for CVE-2020-15562: Cross-Site Scripting (XSS) + vulnerability via HTML messages with malicious svg/namespace + (Closes: #964355) + + -- Guilhem Moulin <guilhem@debian.org> Mon, 06 Jul 2020 16:14:59 +0200 + roundcube (1.2.3+dfsg.1-4+deb9u5) stretch-security; urgency=high * Backport security fixes from 1.3.12: diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch --- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch 1970-01-01 01:00:00.000000000 +0100 +++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch 2020-07-06 16:14:59.000000000 +0200 @@ -0,0 +1,33 @@ +From f3d1566cf223eb04f47b6dfffcd88753f66c36ee Mon Sep 17 00:00:00 2001 +From: Aleksander Machniak <alec@alec.pl> +Date: Fri, 3 Jul 2020 11:29:50 +0200 +Subject: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace + +Credits to SSD Secure Disclosure (https://ssd-disclosure.com/) +--- + program/lib/Roundcube/rcube_washtml.php | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/program/lib/Roundcube/rcube_washtml.php ++++ b/program/lib/Roundcube/rcube_washtml.php +@@ -445,7 +445,10 @@ class rcube_washtml + $xpath = new DOMXPath($node->ownerDocument); + foreach ($xpath->query('namespace::*') as $ns) { + if ($ns->nodeName != 'xmlns:xml') { +- $dump .= ' ' . $ns->nodeName . '="' . $ns->nodeValue . '"'; ++ $dump .= sprintf(' %s="%s"', ++ $ns->nodeName, ++ htmlspecialchars($ns->nodeValue, ENT_QUOTES, $this->config['charset']) ++ ); + } + } + } +@@ -507,7 +510,7 @@ class rcube_washtml + $this->max_nesting_level = (int) @ini_get('xdebug.max_nesting_level'); + + // SVG need to be parsed as XML +- $this->is_xml = stripos($html, '<html') === false && stripos($html, '<svg') !== false; ++ $this->is_xml = !preg_match('/<(html|head|body)/i', $html) && stripos($html, '<svg') !== false; + $method = $this->is_xml ? 'loadXML' : 'loadHTML'; + $options = 0; + diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series --- roundcube-1.2.3+dfsg.1/debian/patches/series 2020-06-09 13:46:01.000000000 +0200 +++ roundcube-1.2.3+dfsg.1/debian/patches/series 2020-07-06 16:14:59.000000000 +0200 @@ -20,3 +20,4 @@ CVE-2020-12626.patch CVE-2020-13964.patch CVE-2020-13965.patch +CVE-2020-15562.patchdiffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1 changelog | 8 ++++++++ patches/CVE-2020-15562.patch | 33 +++++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 42 insertions(+) diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog --- roundcube-1.2.3+dfsg.1/debian/changelog 2020-06-09 13:46:01.000000000 +0200 +++ roundcube-1.2.3+dfsg.1/debian/changelog 2020-07-06 16:14:59.000000000 +0200 @@ -1,3 +1,11 @@ +roundcube (1.2.3+dfsg.1-4+deb9u6) stretch; urgency=high + + * Backport security fix for CVE-2020-15562: Cross-Site Scripting (XSS) + vulnerability via HTML messages with malicious svg/namespace + (Closes: #964355) + + -- Guilhem Moulin <guilhem@debian.org> Mon, 06 Jul 2020 16:14:59 +0200 + roundcube (1.2.3+dfsg.1-4+deb9u5) stretch-security; urgency=high * Backport security fixes from 1.3.12: diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch --- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch 1970-01-01 01:00:00.000000000 +0100 +++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch 2020-07-06 16:14:59.000000000 +0200 @@ -0,0 +1,33 @@ +From f3d1566cf223eb04f47b6dfffcd88753f66c36ee Mon Sep 17 00:00:00 2001 +From: Aleksander Machniak <alec@alec.pl> +Date: Fri, 3 Jul 2020 11:29:50 +0200 +Subject: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace + +Credits to SSD Secure Disclosure (https://ssd-disclosure.com/) +--- + program/lib/Roundcube/rcube_washtml.php | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/program/lib/Roundcube/rcube_washtml.php ++++ b/program/lib/Roundcube/rcube_washtml.php +@@ -445,7 +445,10 @@ class rcube_washtml + $xpath = new DOMXPath($node->ownerDocument); + foreach ($xpath->query('namespace::*') as $ns) { + if ($ns->nodeName != 'xmlns:xml') { +- $dump .= ' ' . $ns->nodeName . '="' . $ns->nodeValue . '"'; ++ $dump .= sprintf(' %s="%s"', ++ $ns->nodeName, ++ htmlspecialchars($ns->nodeValue, ENT_QUOTES, $this->config['charset']) ++ ); + } + } + } +@@ -507,7 +510,7 @@ class rcube_washtml + $this->max_nesting_level = (int) @ini_get('xdebug.max_nesting_level'); + + // SVG need to be parsed as XML +- $this->is_xml = stripos($html, '<html') === false && stripos($html, '<svg') !== false; ++ $this->is_xml = !preg_match('/<(html|head|body)/i', $html) && stripos($html, '<svg') !== false; + $method = $this->is_xml ? 'loadXML' : 'loadHTML'; + $options = 0; + diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series --- roundcube-1.2.3+dfsg.1/debian/patches/series 2020-06-09 13:46:01.000000000 +0200 +++ roundcube-1.2.3+dfsg.1/debian/patches/series 2020-07-06 16:14:59.000000000 +0200 @@ -20,3 +20,4 @@ CVE-2020-12626.patch CVE-2020-13964.patch CVE-2020-13965.patch +CVE-2020-15562.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 881871-done@bugs.debian.org, 891657-done@bugs.debian.org, 892932-done@bugs.debian.org, 893439-done@bugs.debian.org, 893548-done@bugs.debian.org, 898006-done@bugs.debian.org, 912531-done@bugs.debian.org, 921319-done@bugs.debian.org, 927433-done@bugs.debian.org, 930374-done@bugs.debian.org, 935739-done@bugs.debian.org, 944228-done@bugs.debian.org, 948650-done@bugs.debian.org, 948651-done@bugs.debian.org, 948653-done@bugs.debian.org, 948678-done@bugs.debian.org, 949112-done@bugs.debian.org, 949367-done@bugs.debian.org, 949925-done@bugs.debian.org, 951564-done@bugs.debian.org, 951872-done@bugs.debian.org, 953123-done@bugs.debian.org, 953745-done@bugs.debian.org, 954664-done@bugs.debian.org, 954863-done@bugs.debian.org, 955394-done@bugs.debian.org, 955409-done@bugs.debian.org, 955861-done@bugs.debian.org, 956532-done@bugs.debian.org, 956534-done@bugs.debian.org, 956537-done@bugs.debian.org, 956805-done@bugs.debian.org, 956929-done@bugs.debian.org, 958192-done@bugs.debian.org, 958850-done@bugs.debian.org, 958953-done@bugs.debian.org, 958995-done@bugs.debian.org, 961020-done@bugs.debian.org, 961440-done@bugs.debian.org, 961442-done@bugs.debian.org, 961579-done@bugs.debian.org, 961804-done@bugs.debian.org, 961922-done@bugs.debian.org, 961937-done@bugs.debian.org, 961945-done@bugs.debian.org, 962068-done@bugs.debian.org, 962155-done@bugs.debian.org, 962234-done@bugs.debian.org, 962256-done@bugs.debian.org, 962264-done@bugs.debian.org, 963614-done@bugs.debian.org, 963693-done@bugs.debian.org, 963703-done@bugs.debian.org, 963942-done@bugs.debian.org, 964244-done@bugs.debian.org, 964291-done@bugs.debian.org, 964325-done@bugs.debian.org, 964340-done@bugs.debian.org, 964351-done@bugs.debian.org, 964398-done@bugs.debian.org, 964411-done@bugs.debian.org, 964456-done@bugs.debian.org, 964588-done@bugs.debian.org, 964713-done@bugs.debian.org, 964727-done@bugs.debian.org, 964764-done@bugs.debian.org, 964777-done@bugs.debian.org, 964809-done@bugs.debian.org, 964813-done@bugs.debian.org, 964861-done@bugs.debian.org, 922170-done@bugs.debian.org
- Subject: Closing requests for fixes included in 9.13 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 18 Jul 2020 13:07:00 +0100
- Message-id: <b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 9.13 Hi, All of these requests relate to updates that were included in today's stretch point release. Regards, Adam
--- End Message ---