Debian Bug report logs -
#927713
CVE-2019-10740
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#927713
; Package src:roundcube
.
(Sun, 21 Apr 2019 20:27:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Sun, 21 Apr 2019 20:27:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: roundcube
Severity: important
Tags: security
This was assigned CVE-2019-10740:
https://github.com/roundcube/roundcubemail/issues/6638
Cheers,
Moritz
Marked as found in versions roundcube/1.3.8+dfsg.1-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 22 Apr 2019 07:12:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org
.
(Mon, 13 May 2019 19:27:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#927713
; Package src:roundcube
.
(Mon, 13 May 2019 19:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Mon, 13 May 2019 19:45:04 GMT) (full text, mbox, link).
Message #16 received at 927713@bugs.debian.org (full text, mbox, reply):
Hi,
On Sun, Apr 21, 2019 at 10:25:22PM +0200, Moritz Muehlenhoff wrote:
> Source: roundcube
> Severity: important
> Tags: security
>
> This was assigned CVE-2019-10740:
> https://github.com/roundcube/roundcubemail/issues/6638
The issue seems to have been adressed upstream now.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#927713
; Package src:roundcube
.
(Tue, 14 May 2019 00:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Guilhem Moulin <guilhem@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Tue, 14 May 2019 00:09:02 GMT) (full text, mbox, link).
Message #21 received at 927713@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Mon, 13 May 2019 at 21:43:23 +0200, Salvatore Bonaccorso wrote:
> On Sun, Apr 21, 2019 at 10:25:22PM +0200, Moritz Muehlenhoff wrote:
>> Source: roundcube
>> Severity: important
>> Tags: security
>>
>> This was assigned CVE-2019-10740:
>> https://github.com/roundcube/roundcubemail/issues/6638
>
> The issue seems to have been adressed upstream now.
Thanks for the follow-up! AFAICT this issue is mostly irrelevant for
Stretch/Buster as it's about the Enigma plugin, which depends on a PHP
PEAR module (php-crypt-gpg) that's in neither release.
While it might be worth fixing in a later point release, or in an upload
to security-master along with the next security fix, this probably
doesn't warrant a DSA does it?
--
Guilhem.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#927713
; Package src:roundcube
.
(Tue, 14 May 2019 04:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Tue, 14 May 2019 04:33:03 GMT) (full text, mbox, link).
Message #26 received at 927713@bugs.debian.org (full text, mbox, reply):
Hi Guilhem
On Tue, May 14, 2019 at 02:05:31AM +0200, Guilhem Moulin wrote:
> Hi,
>
> On Mon, 13 May 2019 at 21:43:23 +0200, Salvatore Bonaccorso wrote:
> > On Sun, Apr 21, 2019 at 10:25:22PM +0200, Moritz Muehlenhoff wrote:
> >> Source: roundcube
> >> Severity: important
> >> Tags: security
> >>
> >> This was assigned CVE-2019-10740:
> >> https://github.com/roundcube/roundcubemail/issues/6638
> >
> > The issue seems to have been adressed upstream now.
>
> Thanks for the follow-up! AFAICT this issue is mostly irrelevant for
> Stretch/Buster as it's about the Enigma plugin, which depends on a PHP
> PEAR module (php-crypt-gpg) that's in neither release.
>
> While it might be worth fixing in a later point release, or in an upload
> to security-master along with the next security fix, this probably
> doesn't warrant a DSA does it?
Ack, right! I have updated the security-tracker accordingly!
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:01:40 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.