Debian Bug report logs -
#978491
roundcube: CVE-2020-35730: XSS vulnerability via malious HTML or plaintext messages
Reported by: Guilhem Moulin <guilhem@debian.org>
Date: Mon, 28 Dec 2020 00:33:02 UTC
Severity: important
Tags: security
Found in versions roundcube/1.4.9+dfsg.1-1, roundcube/1.3.15+dfsg.1-1~deb10u1, roundcube/1.2.3+dfsg.1-4+deb9u7
Fixed in versions roundcube/1.4.10+dfsg.1-1, roundcube/1.3.16+dfsg.1-1~deb10u1
Done: Guilhem Moulin <guilhem@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>:
Bug#978491; Package src:roundcube.
(Mon, 28 Dec 2020 00:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Guilhem Moulin <guilhem@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>.
(Mon, 28 Dec 2020 00:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: roundcube
Severity: important
Tags: security
Control: found -1 1.4.9+dfsg.1-1
Control: found -1 1.3.15+dfsg.1-1~deb10u1
Control: found -1 1.2.3+dfsg.1-4+deb9u7
In a recent post roundcube webmail upstream has announced the following
security fix:
Cross-site scripting (XSS) via HTML or Plain text messages with
malicious content (CVE-2020-35730)
1.2.x, 1.3.x and 1.4.x branches are affected. Upstream fix:
1.4.x https://github.com/roundcube/roundcubemail/commit/0bceba301aa621ecc0263eac17beee2a4cef0c6d
1.3.x https://github.com/roundcube/roundcubemail/commit/a06ec1dcf9c972d302b16e1ac6aa079a4f6a1c3e
1.2.x https://github.com/roundcube/roundcubemail/commit/47e4d44f62ea16f923761d57f1773a66d51afad4
--
Guilhem.
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions roundcube/1.4.9+dfsg.1-1.
Request was from Guilhem Moulin <guilhem@debian.org>
to submit@bugs.debian.org.
(Mon, 28 Dec 2020 00:33:04 GMT) (full text, mbox, link).
Marked as found in versions roundcube/1.3.15+dfsg.1-1~deb10u1.
Request was from Guilhem Moulin <guilhem@debian.org>
to submit@bugs.debian.org.
(Mon, 28 Dec 2020 00:33:04 GMT) (full text, mbox, link).
Marked as found in versions roundcube/1.2.3+dfsg.1-4+deb9u7.
Request was from Guilhem Moulin <guilhem@debian.org>
to submit@bugs.debian.org.
(Mon, 28 Dec 2020 00:33:05 GMT) (full text, mbox, link).
Reply sent
to Guilhem Moulin <guilhem@debian.org>:
You have taken responsibility.
(Mon, 28 Dec 2020 01:21:07 GMT) (full text, mbox, link).
Notification sent
to Guilhem Moulin <guilhem@debian.org>:
Bug acknowledged by developer.
(Mon, 28 Dec 2020 01:21:07 GMT) (full text, mbox, link).
Message #16 received at 978491-close@bugs.debian.org (full text, mbox, reply):
Source: roundcube
Source-Version: 1.4.10+dfsg.1-1
Done: Guilhem Moulin <guilhem@debian.org>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 978491@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 28 Dec 2020 01:33:45 +0100
Source: roundcube
Architecture: source
Version: 1.4.10+dfsg.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 978069 978491
Changes:
roundcube (1.4.10+dfsg.1-1) unstable; urgency=high
.
* New upstream bugfix release, including security fix for: CVE-2020-35730:
Cross-site scripting (XSS) vulnerability via HTML or Plain text messages
with malicious content svg/namespace. (Closes: #978491)
* d/rules: Make sure to fail the build when an error is raised in a for
loop. (Closes: #978069)
* d/rules: Refactor and move CSS/JS generation and minification from
override_dh_auto_install to override_dh_auto_build. Thanks to Jonas
Smedegaard pointing this out.
* Bump Standards-Version to 4.5.1 (no changes needed).
* Upgrade watch file to version 4.
* Rename Debian branch to debian/latest for DEP-14 compliance.
* d/gbp.conf: Remove custom setting compression=xz.
Checksums-Sha1:
40af6bbe6410e1da6f8d29b9cddd7a599452e14b 3108 roundcube_1.4.10+dfsg.1-1.dsc
5565ee2e76734a2ef5edb4c20c6dde95a6a819bc 128812 roundcube_1.4.10+dfsg.1.orig-tinymce-langs.tar.xz
fab4edb0291d5b68c5b9347f64d057379f4b0885 888912 roundcube_1.4.10+dfsg.1.orig-tinymce.tar.xz
e21e4874021bb3c61e3af53c536bdd18f2406a6a 2935948 roundcube_1.4.10+dfsg.1.orig.tar.xz
95913c9d228fc0e11edb2b9b8dd1838150534c6f 75400 roundcube_1.4.10+dfsg.1-1.debian.tar.xz
ae934592535d6165d699ff4d67232e3e4e730b9d 9599 roundcube_1.4.10+dfsg.1-1_amd64.buildinfo
Checksums-Sha256:
2bdcea77ff129dc06c327d7ce1d7155d6f52f07ca955fff7173eb50a8839d614 3108 roundcube_1.4.10+dfsg.1-1.dsc
56b4a1e09fa0c8e3d4de7971fcaf52951857f1779cfcf2ebcfef208f9d40c62c 128812 roundcube_1.4.10+dfsg.1.orig-tinymce-langs.tar.xz
f8c8a7940f52e2b21a2f0c5aa5c15376251c7c025b0b1318d6d217f5cc5c2f3a 888912 roundcube_1.4.10+dfsg.1.orig-tinymce.tar.xz
ccbc4d66f91fbf1364a86f9c6b422c882decbab05b76d2173618ce4e72d4ff5f 2935948 roundcube_1.4.10+dfsg.1.orig.tar.xz
3e0c95b034d708e0a1f73aa278fb62202b19315007368bde5748934389a9f057 75400 roundcube_1.4.10+dfsg.1-1.debian.tar.xz
7635b2c2d43025c3e2a2ad33dd502b6037d2ab68973f8ef21310f69e3d4f85a5 9599 roundcube_1.4.10+dfsg.1-1_amd64.buildinfo
Files:
b7de68f748a525470d08d97cd32a3c25 3108 web optional roundcube_1.4.10+dfsg.1-1.dsc
043152684335e5c4142343b4498cb000 128812 web optional roundcube_1.4.10+dfsg.1.orig-tinymce-langs.tar.xz
40e4177d55dc1c93b01e3f765beb689b 888912 web optional roundcube_1.4.10+dfsg.1.orig-tinymce.tar.xz
f0772217b48101dfc0783da3a4de4663 2935948 web optional roundcube_1.4.10+dfsg.1.orig.tar.xz
eadbfb95c7ca9353ecc58c46190eb4a1 75400 web optional roundcube_1.4.10+dfsg.1-1.debian.tar.xz
eef8b92295e918359e4cfc28759d600e 9599 web optional roundcube_1.4.10+dfsg.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAl/pKPkACgkQ05pJnDwh
pVJxlBAAzSxhr5fx7peaqZe+dxBHv8omPz+iWm/YyWoZVYpMwZdFOhzXMVoKDqpi
8jHcQQ50qYtq8E+il9UE9HrhhnphEBB3fNgnS6YxtWQbyirviX2KKJs+dHGl5L1O
3HGYd0/mCukE4o4/q/bZ1VN2CLckqiGcdXUVJcK5fAcnOuy2iQwmvbCreL1fLv1M
AP7MUgOGW/B1iLAl0zbbNyX/DWV523BKl7oM7akSTdoVnO5dJRMtR2YCkoq1+DDP
ro6ezRhFpzjsxVlrrhF1WoA8eLJS6SnndRqlFRPUaqd2FGrnfPPKtEqMydTdetxt
oSvmVPV0SjZtnFTmBJjLWCPUBHzwRCtZ4IVlzsRshAt2rNl1RXoNpic4t5TMX6BL
WjBBICIcbb/KcJCu6uZREjhhk4ZX/bu8BbXf8qHKBc9XyuphU7UwHOSfbgglZK8i
qbbBr4T815NhoCJ5045g7wylUNNV/cfh4y6HHuKHwdAL7e1zPsqhLobbxyzXmchA
WuYwHiwaRMMuF2vizeT3cs/fgrq2eThcmfhM+DNK/0tQ/lYNkWzXRqExbuj98QkI
ySF19hscCil0yDH16JftYSDEQsdd4pLwggPGbblGdanwpxeS0Gb5dtl9eW36pYz+
+A8cfXdGSULhI0U26wi7NUpS9i17/B9qNaLWCiwU3Xr1pxINoW4=
=ykMb
-----END PGP SIGNATURE-----
Reply sent
to Guilhem Moulin <guilhem@debian.org>:
You have taken responsibility.
(Tue, 29 Dec 2020 19:36:02 GMT) (full text, mbox, link).
Notification sent
to Guilhem Moulin <guilhem@debian.org>:
Bug acknowledged by developer.
(Tue, 29 Dec 2020 19:36:03 GMT) (full text, mbox, link).
Message #21 received at 978491-close@bugs.debian.org (full text, mbox, reply):
Source: roundcube
Source-Version: 1.3.16+dfsg.1-1~deb10u1
Done: Guilhem Moulin <guilhem@debian.org>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 978491@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 28 Dec 2020 02:49:49 +0100
Source: roundcube
Architecture: source
Version: 1.3.16+dfsg.1-1~deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 978491
Changes:
roundcube (1.3.16+dfsg.1-1~deb10u1) buster-security; urgency=high
.
* New upstream bugfix release, with security fix for CVE-2020-35730:
Cross-site scripting (XSS) vulnerability via HTML or Plain text messages
with malicious content svg/namespace. (Closes: #978491)
* Revert upstream commit 435cfa116 to avoid irrelevant jstz update.
Checksums-Sha1:
357cc65b1f4ef6bfc6038bf2ee38c5691034496b 2487 roundcube_1.3.16+dfsg.1-1~deb10u1.dsc
fc6be87bfe587295cc0e2e1a9a3d749124a0dba4 2194236 roundcube_1.3.16+dfsg.1.orig.tar.xz
4e221bfe79b2d5fd1544d6f5e722ce25b1d5dbae 3055912 roundcube_1.3.16+dfsg.1-1~deb10u1.debian.tar.xz
fa5adcf00cc6021e6c076b629fc9107917105ed6 9465 roundcube_1.3.16+dfsg.1-1~deb10u1_amd64.buildinfo
Checksums-Sha256:
23ff645aaaaa00024c251b383798c7176eac9007eaf9a6470798e2df4a9b61e3 2487 roundcube_1.3.16+dfsg.1-1~deb10u1.dsc
bdedcef77669267a2cae22021c652ee21d05d953287ee6986cd6e4f8e7c96d21 2194236 roundcube_1.3.16+dfsg.1.orig.tar.xz
cef93f449632719c688499b3d7a698483a2574735c44a799a464bfd762f99934 3055912 roundcube_1.3.16+dfsg.1-1~deb10u1.debian.tar.xz
9b8f37bbf1db5f679af66191c9f231836abe94b52c06018452b23041da2b5a50 9465 roundcube_1.3.16+dfsg.1-1~deb10u1_amd64.buildinfo
Files:
62ec16053573d040d2ea109cea228b95 2487 web optional roundcube_1.3.16+dfsg.1-1~deb10u1.dsc
7ae59502715a5199831b1a2d6e5149ed 2194236 web optional roundcube_1.3.16+dfsg.1.orig.tar.xz
803670bdfbe87e1125264f59a5ba876b 3055912 web optional roundcube_1.3.16+dfsg.1-1~deb10u1.debian.tar.xz
8feefa761bcd44437e336f810df086aa 9465 web optional roundcube_1.3.16+dfsg.1-1~deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAl/pRVcACgkQ05pJnDwh
pVJvGBAAxaHQZNTRG17jtnn/5CqgklVCKtfrb5Xkg90OQpi/kEeoDlUvJ5KwEhYi
s+PYpYa5oK4jXyadiD6qZvGbxou31igRaz+hc/tzTWgWGv0H47Jn6fDmQ4TqpgCH
UUKyeSslk5EXpJbI6POt3ZsTiep4QuY+mpruaXaU9KpEpBXGwJ6EKpyZ/j3FrcSX
ngtD/vbOpJYINJ7xg56nenq3n4kXPlA3t+Ew9tAq5P5Ty9m7MY0tN75GMuyU1ZRS
YwLDEY8OPRjs6jPmALdTeLNKTb12lD+sNIhPtCSjgdAETRJBPSBXOwRvT27ZwqIU
tp+/KRaBPe6mgYFGGtNjv7spSBc4Z2RUtvhCjiZdEDB5bxe6oJPEs/DEdhr0w+UY
rKJONAlDBsXHY01ygSy6Slpd0BxBykbLQXIMYk8pMcdg7ejPvhNuuHL+/RFc+Eoe
L2Jk2RzC2FAxQreWYeiTSEAH7FSBp9bRXqf7VpcL9EJiPhUreYm83m25fGNeHqMP
ttkRc9u5uuaB4dGkCw9IcQy5V9xZMor7h/mnyepVUNRVe0nLhmKKkZBVrv/jP4Gy
J3tvYh42RrIDV4XQt4jZpaosSNrF9Cs4AH4PYmM5Vak2ulU5OX5eX10hVgHxrOVE
GQj4fgf7d2CkGtRKsj2s+4Xs69kYWlb/ptQDLC+xsPd7oAhoRWU=
=jFFq
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jan 9 11:12:21 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon