Re: [SECURITY] [DSA 3541-1] roundcube security update

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 3541-1] roundcube security update
From: donoban <donoban@riseup.net>
Date: Tue, 5 Apr 2016 13:09:43 +0200
Message-id: <[🔎] 57039CF7.9050404@riseup.net>
In-reply-to: <E1anMo3-0000tV-7H@seger.debian.org>
References: <E1anMo3-0000tV-7H@seger.debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


On 05/04/16 10:57, Sebastien Delafond wrote:
> -------------------------------------------------------------------------
>
> 
Debian Security Advisory DSA-3541-1                   security@debian.org
> https://www.debian.org/security/                       Sebastien
> Delafond April 05, 2016
> https://www.debian.org/security/faq 
> -------------------------------------------------------------------------
>
>  Package        : roundcube CVE ID         : CVE-2015-8770
> 
> High-Tech Bridge Security Research Lab discovered that Roundcube,
> a webmail client, contained a path traversal vulnerability. This
> flaw could be exploited by an attacker to access sensitive files on
> the server, or even execute arbitrary code.
> 
> For the oldstable distribution (wheezy), this problem has been
> fixed in version 0.7.2-9+deb7u2.
> 
> For the testing (stretch) and unstable (sid) distributions, this 
> problem has been fixed in version 1.1.4+dfsg.1-1.
> 
> We recommend that you upgrade your roundcube packages.
> 
> Further information about Debian Security Advisories, how to apply 
> these updates to your system and frequently asked questions can be 
> found at: https://www.debian.org/security/
> 
> Mailing list: debian-security-announce@lists.debian.org
> 

Why this took so long? Roundcube team fixed this 2015-12-26:

https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released

And it also seems a easy fix to backport:

https://github.com/roundcube/roundcubemail/commit/10e5192a2b1bc90ec137f5e69d0aa072c1210d6d

I am asking because I am currently using upstream Roundcube version
but I was decided to switch to jessie-backports when I have to upgrade it.

Regards.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXA5z3AAoJEBQTENjj7Qil1xMP/jvdwnHiup6pbYgt3l1yhOwi
lKvPmgU+Ke5TLzj9kGg7kXwEADIBp82rV4RhLueDpLePrCEPHeOLgECnjSSA5JW0
DFONaGnLASAdSZN3hyBvTf7DTyvDo7NvgQdNfGTycpINlkhPjRBN3gTjBoimbU1l
eKjDUfMLfiJtfuYcr2jq1kDmTJ43ZXwKWYc63gOFrGf88TxJlYrqlABfKSxVV3en
NBddqGKxPwxTiD1eLisStO1UWsKILqja9OX7wAIN77JduniH5pyGObASWy7E7iv/
+4t1Kmim/7CqGmnWOqQBwBaLVBbD2hf0SURyETx0dyZqnHuOunWcgccMozhDUL9/
e2SAHeqP3Via2jyleV+iU3wUHFvX9Z+CBoZ0kjF3wKhVk2isRgytW968vuh4UbG6
liVYzjTpLVmS1JW7y499SWaPXjON51AyrGF9J8P4YHY2rGB6ntU7S/ail3Vq55x+
XQxzw3UL2ay9X19D+iPdCsFnf86lHxux6hGFt0D59Fo+GaZrRYGl4gIH+e2SPadZ
hC73dkfzMaUiUvFkrAubXqaF93JN4xhtelsER2I47BenDFOUPF4LyEcu8PppMHau
DwyuHT8F2bFZhGpky6opEBncLv56w1davbWCO2lpbPyI3OENARMg3CTpX3f3osY0
TC4Ro+GRTg16D5co8XaD
=j6f7
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 3541-1] roundcube security update
  - From: Sébastien Delafond <seb@debian.org>

Prev by Date: Re: plz, get me in the list
Next by Date: Re: [SECURITY] [DSA 3542-1] mercurial security update
Previous by thread: Re: plz, get me in the list
Next by thread: Re: [SECURITY] [DSA 3541-1] roundcube security update
Index(es):
- Date
- Thread