-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 05/04/16 10:57, Sebastien Delafond wrote: > ------------------------------------------------------------------------- > > Debian Security Advisory DSA-3541-1 secur...@debian.org > https://www.debian.org/security/ Sebastien > Delafond April 05, 2016 > https://www.debian.org/security/faq > ------------------------------------------------------------------------- > > Package : roundcube CVE ID : CVE-2015-8770 > > High-Tech Bridge Security Research Lab discovered that Roundcube, > a webmail client, contained a path traversal vulnerability. This > flaw could be exploited by an attacker to access sensitive files on > the server, or even execute arbitrary code. > > For the oldstable distribution (wheezy), this problem has been > fixed in version 0.7.2-9+deb7u2. > > For the testing (stretch) and unstable (sid) distributions, this > problem has been fixed in version 1.1.4+dfsg.1-1. > > We recommend that you upgrade your roundcube packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-annou...@lists.debian.org > Why this took so long? Roundcube team fixed this 2015-12-26: https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released And it also seems a easy fix to backport: https://github.com/roundcube/roundcubemail/commit/10e5192a2b1bc90ec137f5e69d0aa072c1210d6d I am asking because I am currently using upstream Roundcube version but I was decided to switch to jessie-backports when I have to upgrade it. Regards. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXA5z3AAoJEBQTENjj7Qil1xMP/jvdwnHiup6pbYgt3l1yhOwi lKvPmgU+Ke5TLzj9kGg7kXwEADIBp82rV4RhLueDpLePrCEPHeOLgECnjSSA5JW0 DFONaGnLASAdSZN3hyBvTf7DTyvDo7NvgQdNfGTycpINlkhPjRBN3gTjBoimbU1l eKjDUfMLfiJtfuYcr2jq1kDmTJ43ZXwKWYc63gOFrGf88TxJlYrqlABfKSxVV3en NBddqGKxPwxTiD1eLisStO1UWsKILqja9OX7wAIN77JduniH5pyGObASWy7E7iv/ +4t1Kmim/7CqGmnWOqQBwBaLVBbD2hf0SURyETx0dyZqnHuOunWcgccMozhDUL9/ e2SAHeqP3Via2jyleV+iU3wUHFvX9Z+CBoZ0kjF3wKhVk2isRgytW968vuh4UbG6 liVYzjTpLVmS1JW7y499SWaPXjON51AyrGF9J8P4YHY2rGB6ntU7S/ail3Vq55x+ XQxzw3UL2ay9X19D+iPdCsFnf86lHxux6hGFt0D59Fo+GaZrRYGl4gIH+e2SPadZ hC73dkfzMaUiUvFkrAubXqaF93JN4xhtelsER2I47BenDFOUPF4LyEcu8PppMHau DwyuHT8F2bFZhGpky6opEBncLv56w1davbWCO2lpbPyI3OENARMg3CTpX3f3osY0 TC4Ro+GRTg16D5co8XaD =j6f7 -----END PGP SIGNATURE-----
