roundcube: CVE-2015-1433: Cross-site scripting vulnerability fixed in 1.0.5

Debian Bug report logs - #776700
roundcube: CVE-2015-1433: Cross-site scripting vulnerability fixed in 1.0.5

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: roundcube: Cross-site scripting vulnerability fixed in 1.0.5

Date: Sat, 31 Jan 2015 14:50:06 +0200

Package: roundcube
Version: 0.9.5+dfsg1-4.1
Severity: important
Tags: security, fixed-upstream, upstream

Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5 version.
Please update Debian packages, thanks.

http://roundcube.net/news/2015/01/24/security-update-1.0.5/
http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5
http://trac.roundcube.net/ticket/1490227

CVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3

If you need any help with this case feel free to contact me.

-- 
Henri Salo

Message #12 received at 776700-close@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: 776700-close@bugs.debian.org

Subject: Bug#776700: fixed in roundcube 0.9.5+dfsg1-4.2

Date: Sat, 31 Jan 2015 16:03:51 +0000

Source: roundcube
Source-Version: 0.9.5+dfsg1-4.2

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 776700@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 31 Jan 2015 16:32:11 +0100
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql roundcube-sqlite3 roundcube-plugins
Architecture: source all
Version: 0.9.5+dfsg1-4.2
Distribution: unstable
Urgency: medium
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description:
 roundcube  - skinnable AJAX based webmail solution for IMAP servers - metapack
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - plugins
 roundcube-sqlite3 - metapackage providing SQLite dependencies for RoundCube
Closes: 776700
Changes:
 roundcube (0.9.5+dfsg1-4.2) unstable; urgency=medium
 .
   * NMU.
   * Add a patch to fix XSS vulnerability. CVE-2015-1433.
     Closes: #776700.
Checksums-Sha1:
 3133b305dfde292d4962b443dbb74eb3bcd2dcd2 2360 roundcube_0.9.5+dfsg1-4.2.dsc
 3650b633a4509d1d4cb468cb11785513b8831cfd 1996556 roundcube_0.9.5+dfsg1-4.2.debian.tar.xz
 4ed16e503974c34cfeb4a1bc0feace65e5cc391f 1176494 roundcube-core_0.9.5+dfsg1-4.2_all.deb
 a49416c7d9088ddb76b87839ee8aecd42a996bc6 30778 roundcube_0.9.5+dfsg1-4.2_all.deb
 def4b310c23ffc9950795372262a69c3b8c7f624 30718 roundcube-mysql_0.9.5+dfsg1-4.2_all.deb
 9d5b748a2beb88c50f52b7dc1fe4c7d086d0c860 30680 roundcube-pgsql_0.9.5+dfsg1-4.2_all.deb
 a1c1a2421716488831cb40c6cbe02c85e8e23474 30674 roundcube-sqlite3_0.9.5+dfsg1-4.2_all.deb
 d4610afcb7cec1a26e10e1a12aa08e765703fbd8 487580 roundcube-plugins_0.9.5+dfsg1-4.2_all.deb
Checksums-Sha256:
 2698897fc6b8abca1696b9c0392deffbe895c00895ea05f3ab247b922e9851c8 2360 roundcube_0.9.5+dfsg1-4.2.dsc
 c643df192f9f2003686f64af0d2598b1d000568eeaf3864c0d7b1d22205e5e6f 1996556 roundcube_0.9.5+dfsg1-4.2.debian.tar.xz
 6a5aac4e4dba21baf62619d7e09be98bff8b42d1acae9941c62d01152a23f0ef 1176494 roundcube-core_0.9.5+dfsg1-4.2_all.deb
 b09ed767b897210173539c81d8698837ed241e38fe777366619347d0f2fecdf3 30778 roundcube_0.9.5+dfsg1-4.2_all.deb
 39c09d1ef5ba9425df862cb92007f2590f42b9d157fd6fa8b171e54d7cb55fc9 30718 roundcube-mysql_0.9.5+dfsg1-4.2_all.deb
 643f6a4d63a66af961b268523433c0e32ea8be3ebfbe98cb50ea4807b3fcec09 30680 roundcube-pgsql_0.9.5+dfsg1-4.2_all.deb
 2d73c578c366c26ea0c65288e9c657834c9b508f3c69f29ac216aab25db0bd42 30674 roundcube-sqlite3_0.9.5+dfsg1-4.2_all.deb
 1667427009bb93fc773c776d717169726de48195c528a91d6f4c2ce6a43a7895 487580 roundcube-plugins_0.9.5+dfsg1-4.2_all.deb
Files:
 398ec8799ef430538fd75443991a4aba 2360 web extra roundcube_0.9.5+dfsg1-4.2.dsc
 46ec76c776a0ff9c5ddf7d29ae87bf29 1996556 web extra roundcube_0.9.5+dfsg1-4.2.debian.tar.xz
 0165ee7e7637d503b855af92cf874e73 1176494 web extra roundcube-core_0.9.5+dfsg1-4.2_all.deb
 c84775a5ebc0ca9c9fd4eed76ca4d3c9 30778 web extra roundcube_0.9.5+dfsg1-4.2_all.deb
 1c53efaf1fc06529f58c2afa506b9ce4 30718 web extra roundcube-mysql_0.9.5+dfsg1-4.2_all.deb
 624e88658d21c45e85ba37ddf0429182 30680 web extra roundcube-pgsql_0.9.5+dfsg1-4.2_all.deb
 6b5b17ad33c5f7c18f3912804ea9d4ea 30674 web extra roundcube-sqlite3_0.9.5+dfsg1-4.2_all.deb
 9defa05dcbd6d0d735ed9d0233d33df4 487580 web extra roundcube-plugins_0.9.5+dfsg1-4.2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUzPjpAAoJEJWkL+g1NSX54twP/R7KJKg1jxiU/3Rz7eE1ZkCX
bdtO+FHm5tW6BGrrGCMbQtYk63Ch8s6T8FmotPM/UEY6IIqYH2jyAFPpi8Vcq5X2
lD5c0NM2KELduUvPvzfOO93VAcbP/F2okd4DdLhQqQwZ8LNanX97RH+zjrczSyUo
gIxXUfbZ/rZ00bmfFMmfHpodIuefKEVHBMzrctWD8wH12dVcmZeUzwbaqgpfl++e
NfSRjebLyWa2xyENLjlqg7mYtMUuXJmT0YrMgrgb3JFYJ7OrAVPQUKkg47r2SrLi
52eSYOPVS7U9y0tDnpAcoadc00bIsYOfltZdz8/mjO/ScmhlzytCR7139JxPns/Y
BXld42xqIYDx/IWkv4uoivpXPfOoaI/jnF79384l6Az4Cbs37+YT2JAfHuaG9YkU
WiPFkBzhXnLHlQztsDdnmcR6vH8xzYkUZz/9V0P1M4OetlKNOoi213TZzaoxM/c4
zC4h4gc7CxXO7lJ2e/osXKGUnSPX7j6F0S4Dzs68rth0TsIaNqY3N3XrbknGMhjw
qUKrk6pIFdU9ykP1IwJQWZNIJGVKT0XJlKInY76mMh7rtxQNsq7saDLDRmRDGm9X
MaGVniaRzkNlKKH5mNJBHi6YR2SvcJGzb4fw4TgElxE84/dWyxdSl9t3Ulf+z47r
VWQM9HofnFPw32d8KiA2
=y8Uc
-----END PGP SIGNATURE-----

Message #17 received at 776700@bugs.debian.org (full text, mbox, reply):

From: Marian Sigler <m@qjym.de>

To: 776700@bugs.debian.org

Subject: Re: roundcube: CVE-2015-1433: Cross-site scripting vulnerability fixed in 1.0.5

Date: Mon, 02 Feb 2015 23:43:19 +0100

Control: -1 reopen
Tags: wheezy

> Source-Version: 0.9.5+dfsg1-4.2
> 
> We believe that the bug you reported is fixed in the latest version of
> roundcube, which is due to be installed in the Debian FTP archive.
I did a quick(!) check of the code on wheezy and it seems to be the
same, thus affected, too.

Marian

Message #28 received at 776700@bugs.debian.org (full text, mbox, reply):

From: Marian Sigler <m@qjym.de>

Cc: 776700@bugs.debian.org

Subject: Re: Processed: tags 776700 wheezy, reopen

Date: Tue, 03 Feb 2015 00:40:23 +0100

On 03.02.2015 00:27, Debian Bug Tracking System wrote:
> all fixed versions will be cleared, and you may need to re-add them.
> Bug reopened
> No longer marked as fixed in versions roundcube/0.9.5+dfsg1-4.2.
Ehr, seems I probably fucked that up somewhat; actually I just wanted to
reopen the bug but keep it marked as fixed in jessie :[]
I'm sorry!
Before I try and break even more, can someone else fix that? Thanks!

Marian

Message #39 received at 776700-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: control@bugs.debian.org

Cc: 776700-submitter@bugs.debian.org

Subject: closing 776700

Date: Tue, 03 Feb 2015 05:15:52 +0100

close 776700 0.9.5+dfsg1-4.2
thanks

Send a report that this bug log contains spam.