[Pkg-roundcube-maintainers] Bug#721592: roundcube: CVE-2013-5645
Salvatore Bonaccorso
carnil at debian.org
Tue Sep 3 07:19:02 UTC 2013
Hi Vincent,
On Tue, Sep 03, 2013 at 09:01:03AM +0200, Vincent Bernat wrote:
> ❦ 3 septembre 2013 08:51 CEST, Salvatore Bonaccorso <carnil at debian.org> :
>
> >> > Please adjust the affected versions in the BTS as needed. At least
> >> > 0.9.2 looks affected.
> >>
> >> Hi Salvatore!
> >>
> >> Previous versions are likely to be affected too. I will try to backport
> >> the patches. For version in Jessie and unstable, I will just upload
> >> 0.9.3.
> >
> > Thanks for your quick reply! From what I see about the vulnerability,
> > I would say this does not warrant a DSA, as the exploitability seems
> > to be limited to a user-assisted remote attacker.
>
> The exploit can be triggered by a user using a message as a template for
> a new message. This seems far-fetched, so I agree.
>
> > Do you agree on that conclusion? If yes I will mark this in the
> > security-tracker appropriately. Could you address in that case the
> > updates trough a proposed-update instead?
>
> OK.
Thanks for confirming. I have marked it accordingly.
Regards,
Salvatore
More information about the Pkg-roundcube-maintainers
mailing list