Hi Ola,
Sorry for the delay, not sure if you got an answer yet; either way I'm
not answering on behalf of the team here.
On Sat, 11 Nov 2017 at 20:14:38 +0100, Ola Lundqvist wrote:
> Would you like to take care of this yourself?
>
> The proposed patch for later release will not apply cleanly to
Dear maintainers,
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of roundcube:
https://security-tracker.debian.org/tracker/CVE-2017-16651
Would you like to take care of this yourself?
The proposed patch for later release will not apply cl
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of roundcube:
https://security-tracker.debian.org/tracker/source-package/roundcube
Would you like to take care of this yourself?
If yes, please follow the workflow w
Hi Raphael,
On 06.09.2016 18:13, Raphael Hertzog wrote:
> Hi Markus,
>
> On Wed, 20 Jul 2016, Markus Koschany wrote:
>> Feel free to work on everything you like. Fixing CVE-2014-9587 together
>> with CVE-2016-4069 isn't strictly required but you could probably reuse
>> some of your work if you tr
Hi
If you are sure CVE-2016-4068 is mitigated then we should be able to
mark it as fixed.
But you need to be sure. :-)
// Ola
On Tue, Sep 6, 2016 at 6:13 PM, Raphael Hertzog wrote:
> Hi Markus,
>
> On Wed, 20 Jul 2016, Markus Koschany wrote:
>> Feel free to work on everything you like. Fixing C
Hi Markus,
On Wed, 20 Jul 2016, Markus Koschany wrote:
> Feel free to work on everything you like. Fixing CVE-2014-9587 together
> with CVE-2016-4069 isn't strictly required but you could probably reuse
> some of your work if you try to tackle these issue. In any case the
> whole CSRF complex requ
On 07/20/2016 02:23 PM, Markus Koschany wrote:
> Hi,
>
> Feel free to work on everything you like. Fixing CVE-2014-9587 together
> with CVE-2016-4069 isn't strictly required but you could probably reuse
> some of your work if you try to tackle these issue. In any case the
> whole CSRF complex req
On 20.07.2016 18:51, Lucas Kanashiro wrote:
> Hi Markus,
>
>
> On 07/20/2016 01:12 PM, Markus Koschany wrote:
>> Hello Lucas,
>>
>> I have prepared the last update of roundcube and just had a look at your
>> patch. Unfortunately a proper fix for CVE-2016-4069 in Wheezy isn't as
>> simple as it lo
Hi Markus,
On 07/20/2016 01:12 PM, Markus Koschany wrote:
> Hello Lucas,
>
> I have prepared the last update of roundcube and just had a look at your
> patch. Unfortunately a proper fix for CVE-2016-4069 in Wheezy isn't as
> simple as it looks like on first glance. The whole foundation to protect
On 20.07.2016 16:33, Lucas Kanashiro wrote:
[...]
> I tested the upgrade of the previous version to this one and it worked.
> I did some tests, but if you could review it I'll appreciate.
>
> After your feedback I can upload it or leave it up to you.
>
> Thank you very much.
[...]
Hello Lucas,
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of roundcube:
https://security-tracker.debian.org/tracker/CVE-2016-4069
I missed the first contact where I should answer if you want to do it
or leave it to us, sorry
On 20.06.2016 10:56, Brian May wrote:
> Brian May writes:
>
>> Markus Koschany writes:
>>
>>> I just had a closer look at the vulnerabilities. I have marked
>>> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
>>> the vulnerable code is not present in this version. There is
Brian May writes:
> Markus Koschany writes:
>
>> I just had a closer look at the vulnerabilities. I have marked
>> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
>> the vulnerable code is not present in this version. There is no upstream
>> fix available for CVE-2016-4086
Markus Koschany writes:
> I just had a closer look at the vulnerabilities. I have marked
> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
> the vulnerable code is not present in this version. There is no upstream
> fix available for CVE-2016-4086.
>
> That leaves us with C
On 09.06.2016 09:45, Brian May wrote:
> Adrian Zaugg writes:
>
>> I would vote for a backported 1.0.x version or rather remove 0.7 than 0.9.
>
> I couldn't find 1.0.x in Debian, so tried version 1.1.5+dfsg.1-1~bpo8+1
> from jessie-backports instead.
>
> Unfortunately it needs a newer version of
Adrian Zaugg writes:
> I would vote for a backported 1.0.x version or rather remove 0.7 than 0.9.
I couldn't find 1.0.x in Debian, so tried version 1.1.5+dfsg.1-1~bpo8+1
from jessie-backports instead.
Unfortunately it needs a newer version of libjs-jquery then what is
available in Wheezy:
Ins
Hey,
On the one side I'm totally with Guilhem, that getting rid of the old
roundcube in old-stable would be the best thing. Upstream itself do not
support this version for a longer time. I'm not sure if any CVEs are filed for
such old versions anymore from upstream.
On the other side: The upg
> On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote:
>> I agree, however I suspect most people using roundcube in production are
>> probably using the backport... There's even a dangling backport in
>> wheezy right now (0.9)... a little messy.
> Am 03.05.2016 um 17:49 schrieb Guilhem Mo
For instance, I run the unstable wordpress on a wheezy machine. And
each wordpress upgrade is painless, but a full upgrade to jessie would
be much more time consuming.
I agree for wordpress.
But roundcube is a litle different. You don't have to run it on the
email serveur. It's just a box wi
Hi,
On Tue, 03 May 2016, Moritz Muehlenhoff wrote:
> What's the point in updating a server package like roundcube in LTS
> to the version from LTS+1? I creates significant churn on the sysadmin's
> side, which is better spent on upgrading the entire VM/machine to LTS+1.
I don't think this is enti
Am 03.05.2016 um 18:37 schrieb Moritz Muehlenhoff:
> On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote:
>> The second best solution would be to backport either the 1.0.x branch or
>> your jessie-backport packages to Wheezy. Since you actively maintain
>> them, what do you think, how c
On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote:
> The second best solution would be to backport either the 1.0.x branch or
> your jessie-backport packages to Wheezy. Since you actively maintain
> them, what do you think, how complex is the task to backport the
> packages from jessi
Am 03.05.2016 um 17:49 schrieb Guilhem Moulin:
> On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote:
>> I agree, however I suspect most people using roundcube in production are
>> probably using the backport... There's even a dangling backport in
>> wheezy right now (0.9)... a little mess
On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote:
> I agree, however I suspect most people using roundcube in production are
> probably using the backport... There's even a dangling backport in
> wheezy right now (0.9)... a little messy.
Sorry, I meant oldstable-backports not oldstable
On 2016-05-02 15:31:39, Guilhem Moulin wrote:
> Hi there,
>
> On Mon, 02 May 2016 at 21:19:13 +0200, Markus Koschany wrote:
>> Would you like to take care of this yourself?
>
> Not replying in the name of team (however I'm the one who pushed for
> Roundcube in jessie-backports and who is trying to
Hi there,
On Mon, 02 May 2016 at 21:19:13 +0200, Markus Koschany wrote:
> Would you like to take care of this yourself?
Not replying in the name of team (however I'm the one who pushed for
Roundcube in jessie-backports and who is trying to taking care of it
there), unfortunately I don't have the
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of roundcube:
https://security-tracker.debian.org/tracker/CVE-2016-4068
We know that roundcube is at least affected by CVE-2016-4068 in Wheezy but we
are interested i
27 matches
Mail list logo
