Hi Ola,
Sorry for the delay, not sure if you got an answer yet; either way I'm
not answering on behalf of the team here.
On Sat, 11 Nov 2017 at 20:14:38 +0100, Ola Lundqvist wrote:
> Would you like to take care of this yourself?
>
> The proposed patch for later release will not apply cleanly to
Hi Raphael,
On 06.09.2016 18:13, Raphael Hertzog wrote:
> Hi Markus,
>
> On Wed, 20 Jul 2016, Markus Koschany wrote:
>> Feel free to work on everything you like. Fixing CVE-2014-9587 together
>> with CVE-2016-4069 isn't strictly required but you could probably reuse
>> some of your work if you tr
Hi
If you are sure CVE-2016-4068 is mitigated then we should be able to
mark it as fixed.
But you need to be sure. :-)
// Ola
On Tue, Sep 6, 2016 at 6:13 PM, Raphael Hertzog wrote:
> Hi Markus,
>
> On Wed, 20 Jul 2016, Markus Koschany wrote:
>> Feel free to work on everything you like. Fixing C
Hi Markus,
On Wed, 20 Jul 2016, Markus Koschany wrote:
> Feel free to work on everything you like. Fixing CVE-2014-9587 together
> with CVE-2016-4069 isn't strictly required but you could probably reuse
> some of your work if you try to tackle these issue. In any case the
> whole CSRF complex requ
On 07/20/2016 02:23 PM, Markus Koschany wrote:
> Hi,
>
> Feel free to work on everything you like. Fixing CVE-2014-9587 together
> with CVE-2016-4069 isn't strictly required but you could probably reuse
> some of your work if you try to tackle these issue. In any case the
> whole CSRF complex req
On 20.07.2016 18:51, Lucas Kanashiro wrote:
> Hi Markus,
>
>
> On 07/20/2016 01:12 PM, Markus Koschany wrote:
>> Hello Lucas,
>>
>> I have prepared the last update of roundcube and just had a look at your
>> patch. Unfortunately a proper fix for CVE-2016-4069 in Wheezy isn't as
>> simple as it lo
Hi Markus,
On 07/20/2016 01:12 PM, Markus Koschany wrote:
> Hello Lucas,
>
> I have prepared the last update of roundcube and just had a look at your
> patch. Unfortunately a proper fix for CVE-2016-4069 in Wheezy isn't as
> simple as it looks like on first glance. The whole foundation to protect
On 20.07.2016 16:33, Lucas Kanashiro wrote:
[...]
> I tested the upgrade of the previous version to this one and it worked.
> I did some tests, but if you could review it I'll appreciate.
>
> After your feedback I can upload it or leave it up to you.
>
> Thank you very much.
[...]
Hello Lucas,
On 20.06.2016 10:56, Brian May wrote:
> Brian May writes:
>
>> Markus Koschany writes:
>>
>>> I just had a closer look at the vulnerabilities. I have marked
>>> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
>>> the vulnerable code is not present in this version. There is
Brian May writes:
> Markus Koschany writes:
>
>> I just had a closer look at the vulnerabilities. I have marked
>> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
>> the vulnerable code is not present in this version. There is no upstream
>> fix available for CVE-2016-4086
Markus Koschany writes:
> I just had a closer look at the vulnerabilities. I have marked
> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
> the vulnerable code is not present in this version. There is no upstream
> fix available for CVE-2016-4086.
>
> That leaves us with C
On 09.06.2016 09:45, Brian May wrote:
> Adrian Zaugg writes:
>
>> I would vote for a backported 1.0.x version or rather remove 0.7 than 0.9.
>
> I couldn't find 1.0.x in Debian, so tried version 1.1.5+dfsg.1-1~bpo8+1
> from jessie-backports instead.
>
> Unfortunately it needs a newer version of
Adrian Zaugg writes:
> I would vote for a backported 1.0.x version or rather remove 0.7 than 0.9.
I couldn't find 1.0.x in Debian, so tried version 1.1.5+dfsg.1-1~bpo8+1
from jessie-backports instead.
Unfortunately it needs a newer version of libjs-jquery then what is
available in Wheezy:
Ins
Hey,
On the one side I'm totally with Guilhem, that getting rid of the old
roundcube in old-stable would be the best thing. Upstream itself do not
support this version for a longer time. I'm not sure if any CVEs are filed for
such old versions anymore from upstream.
On the other side: The upg
> On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote:
>> I agree, however I suspect most people using roundcube in production are
>> probably using the backport... There's even a dangling backport in
>> wheezy right now (0.9)... a little messy.
> Am 03.05.2016 um 17:49 schrieb Guilhem Mo
For instance, I run the unstable wordpress on a wheezy machine. And
each wordpress upgrade is painless, but a full upgrade to jessie would
be much more time consuming.
I agree for wordpress.
But roundcube is a litle different. You don't have to run it on the
email serveur. It's just a box wi
Hi,
On Tue, 03 May 2016, Moritz Muehlenhoff wrote:
> What's the point in updating a server package like roundcube in LTS
> to the version from LTS+1? I creates significant churn on the sysadmin's
> side, which is better spent on upgrading the entire VM/machine to LTS+1.
I don't think this is enti
Am 03.05.2016 um 18:37 schrieb Moritz Muehlenhoff:
> On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote:
>> The second best solution would be to backport either the 1.0.x branch or
>> your jessie-backport packages to Wheezy. Since you actively maintain
>> them, what do you think, how c
On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote:
> The second best solution would be to backport either the 1.0.x branch or
> your jessie-backport packages to Wheezy. Since you actively maintain
> them, what do you think, how complex is the task to backport the
> packages from jessi
Am 03.05.2016 um 17:49 schrieb Guilhem Moulin:
> On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote:
>> I agree, however I suspect most people using roundcube in production are
>> probably using the backport... There's even a dangling backport in
>> wheezy right now (0.9)... a little mess
On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote:
> I agree, however I suspect most people using roundcube in production are
> probably using the backport... There's even a dangling backport in
> wheezy right now (0.9)... a little messy.
Sorry, I meant oldstable-backports not oldstable
On 2016-05-02 15:31:39, Guilhem Moulin wrote:
> Hi there,
>
> On Mon, 02 May 2016 at 21:19:13 +0200, Markus Koschany wrote:
>> Would you like to take care of this yourself?
>
> Not replying in the name of team (however I'm the one who pushed for
> Roundcube in jessie-backports and who is trying to
Hi there,
On Mon, 02 May 2016 at 21:19:13 +0200, Markus Koschany wrote:
> Would you like to take care of this yourself?
Not replying in the name of team (however I'm the one who pushed for
Roundcube in jessie-backports and who is trying to taking care of it
there), unfortunately I don't have the
23 matches
Mail list logo