Hi If you are sure CVE-2016-4068 is mitigated then we should be able to mark it as fixed. But you need to be sure. :-)
// Ola On Tue, Sep 6, 2016 at 6:13 PM, Raphael Hertzog <hert...@debian.org> wrote: > Hi Markus, > > On Wed, 20 Jul 2016, Markus Koschany wrote: >> Feel free to work on everything you like. Fixing CVE-2014-9587 together >> with CVE-2016-4069 isn't strictly required but you could probably reuse >> some of your work if you try to tackle these issue. In any case the >> whole CSRF complex requires much more work IMO and unless you are >> already familiar with Roundcube and PHP it might not be the right >> package to start with. It's up to you. > > It was indeed a non-trivial amount of work... but the attached patch > fixes CVE-2016-4069 according to my tests (i.e. downloads requests > without _token do fail). > > On thursday I will see if I can deal with CVE-2014-9587 as well. > > Then there's https://security-tracker.debian.org/tracker/CVE-2016-4068 > you left it open but it's mitigated since one cannot view SVG files. > There is a patch available now > (https://github.com/roundcube/roundcubemail/commit/a1fdb205f824dee7fd42dda739f207abc85ce158) > but I'm not sure it's worth the effort of the backport. Because > backporting this patch would also require backporting the real > fix for https://security-tracker.debian.org/tracker/CVE-2015-8864 > which is also rather involved. > > Thus I'm tempted to just mark the CVE-2016-4068 as fixed with your DLA-537-1. > > What do you think? > > I just spent 5 hours just for the attached patch... > > Cheers, > -- > Raphaël Hertzog ◈ Debian Developer > > Support Debian LTS: http://www.freexian.com/services/debian-lts.html > Learn to master Debian: http://debian-handbook.info/get/ -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
