Package: release.debian.org Severity: normal Tags: bookworm User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: roundcube@packages.debian.org Control: affects -1 + src:roundcube [ Reason ] roundcube 1.6.1+dfsg-1 is vulnerable to CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages. The Security Team decided not to issue a DSA for that CVE, but it's now fixed in buster-security (1.3.17+dfsg.1-1~deb10u3) as well as testing/sid (1.6.3+dfsg-1), so it makes sense to fix it via (o)s-pu too. In addition, the roundcube version currently in bookworm currently yields PHP warnings with PHP 8.2, and suffers from several regressions affecting for instance OAuth2 authentication, LDAP backends, or BINARY FETCHes. [ Impact ] Roundcube users will remain vulnerable to the XSS issue. For users uprading from buster-security to bookworm, that would be a security regression. In addition, OAuth2 authentication would remain broked and error messages would keep polluting the log. [ Tests ] The upstream test suite is run at build time, and also via DEP-8 tests. In addition, I manually double checked that the aforementioned XSS issue is solved. [ Risks ] 1.6 is upstream's stable branch, and like for Bullseye (and Buster) I propose that Bookworm follows it. The diff is not really trivial but test coverage is decent except for the OAuth2 part (which again is broken in bookworm). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] * New upstream security and bugfix release: + Fix bug where installto.sh/update.sh scripts were removing some essential options from the config file + Fix regression that broke use_secure_urls feature + Fix potential PHP fatal error when opening a message with message/rfc822 part + Fix bug where a duplicate `<title>` tag in HTML email could cause some parts being cut off + Fix bug where a list of folders could have been sorted incorrectly + Fix regression where LDAP addressbook 'filter' option was ignored + Fix wrong order of a multi-folder search result when sorting by size + Fix so install/update scripts do not require PEAR + Fix regression where some mail parts could have been decoded incorrectly, or not at all + Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to non-binary FETCH + Fix PHP8 deprecation warning in the reconnect plugin + Fix "Show source" on mobile with x_frame_options = deny + Fix various PHP warnings + Fix deprecated use of ldap_connect() in password's ldap_simple driver + Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages (CVE-2023-43770) + Add Uyghur localization + Fix regression in OAuth request URI caused by use of REQUEST_URI instead of SCRIPT_NAME as a default + Fix bug where false attachment reminder was displayed on HTML mail with inline images + Fix bug where a non-ASCII character in app.js could cause error in javascript engine + Fix JWT decoding with url safe base64 schema + Fix bug where .wav instead of .mp3 file was used for the new mail notification in Firefox + Fix PHP8 warning + Fix support for Windows-31J charset + Fix so LDAP VLV option is disabled by default as documented + Fix so an email address with name is supported as input to the managesieve notify :from parameter + Fix Help plugin menu + Fix invalid onclick handler on the logo image when using non-array skin_logo setting + Fix duplicate recipients in "To" and "Cc" on reply + Fix bug where it wasn't possible to scroll lists by clicking middle mouse button + Fix bug where label text in a single-input dialog could be partially invisible in some locales + Fix bug where LDAP (fulltext) search didn't work without 'search_fields' in config + Fix extra leading newlines in plain text converted from HTML + Fix so recipients with a domain ending with .s are allowed + Fix so vCard output does not contain non-standard/redundant TYPE=OTHER and TYPE=INTERNET + Fix QR code images for contacts with non-ASCII characters + Fix PHP8 warnings when using list_flags and list_cols properties by plugins + Fix bug where subfolders could loose subscription on parent folder rename + Fix connecting to LDAP using an URI with ldapi:// scheme + Fix insecure shell command params handling in cmd_learn driver of markasjunk plugin + Fix bug where some mail headers didn't work in cmd_learn driver of markasjunk plugin + Fix PHP fatal error when importing vcf file using PHP 8.2 + Fix so output of log_date_format with microseconds contains time in server time zone, not UTC * roundcube-core.cron: Trigger gc twice every hour. (Closes: #1043395) * Fix GuzzleHttp autoload location. (Closes: #1040705) * d/p/fix-autoload-location.patch: Set ‘Forwarded: not-needed’ DEP-3 header. * Test suite: Adjust short date test to make it work with all ICUs. (Closes: #1030161) * Add Romanian debconf templates translation. (Closes: #1033468) * d/gbp.conf, d/README.source: Remove obsolete comment. * d/sql/mysql/1.3.0-1: Move inline comment. * d/p/fix-short-date-test-icu72.patch: Remove patch applied upstream. * Refresh d/patches. [ Other info ] In addition to the debdiff.gz between 1.6.1+dfsg-1 (bookworm) and 1.6.3+dfsg-1~deb12u1, I attach a patch-applied diff excluding upstream's tests/**, program/localization/**, and plugins/*/localization/**, which should more accurately show what this p-u is about. If you think that 1.6.3+dfsg-1~deb12u1 is beyond the scope of bookworm-pu then I'll prepare another upload, this time backporting the aforementioned regressions and security issue instead of following the upstream stable branch. -- Guilhem.
Attachment:
roundcube.debdiff.gz
Description: application/gzip
Attachment:
signature.asc
Description: PGP signature