On 20.07.2016 16:33, Lucas Kanashiro wrote: [...] > I tested the upgrade of the previous version to this one and it worked. > I did some tests, but if you could review it I'll appreciate. > > After your feedback I can upload it or leave it up to you. > > Thank you very much. [...]
Hello Lucas, I have prepared the last update of roundcube and just had a look at your patch. Unfortunately a proper fix for CVE-2016-4069 in Wheezy isn't as simple as it looks like on first glance. The whole foundation to protect against CSRF is missing. For instance the secure_url or request_security_check functions are not implemented in your patch or in the original version in Wheezy and without them your patch won't work. I think a proper fix requires more backporting work. Fixing CVE-2014-9587 should also be considered because it also deals with a CSRF vulnerability but wasn't deemed important enough back then. Regards, Markus
signature.asc
Description: OpenPGP digital signature
