[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1052629: marked as done (bookworm-pu: package roundcube/1.6.3+dfsg-1~deb12u1)

Your message dated Sat, 07 Oct 2023 09:59:43 +0000
with message-id <E1qp463-00A4Io-9s@coccia.debian.org>
and subject line Released with 12.2
has caused the Debian Bug report #1052629,
regarding bookworm-pu: package roundcube/1.6.3+dfsg-1~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1052629: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052629
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: roundcube@packages.debian.org
Control: affects -1 + src:roundcube

[ Reason ]

roundcube 1.6.1+dfsg-1 is vulnerable to CVE-2023-43770: cross-site
scripting (XSS) vulnerability in handling of linkrefs in plain text
messages.

The Security Team decided not to issue a DSA for that CVE, but it's now
fixed in buster-security (1.3.17+dfsg.1-1~deb10u3) as well as
testing/sid (1.6.3+dfsg-1), so it makes sense to fix it via (o)s-pu
too.

In addition, the roundcube version currently in bookworm currently
yields PHP warnings with PHP 8.2, and suffers from several regressions
affecting for instance OAuth2 authentication, LDAP backends, or BINARY
FETCHes.

[ Impact ]

Roundcube users will remain vulnerable to the XSS issue.  For users
uprading from buster-security to bookworm, that would be a security
regression.

In addition, OAuth2 authentication would remain broked and error
messages would keep polluting the log.

[ Tests ]

The upstream test suite is run at build time, and also via DEP-8 tests.
In addition, I manually double checked that the aforementioned XSS issue
is solved.

[ Risks ]

1.6 is upstream's stable branch, and like for Bullseye (and Buster) I
propose that Bookworm follows it.  The diff is not really trivial but
test coverage is decent except for the OAuth2 part (which again is
broken in bookworm).

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

  * New upstream security and bugfix release:
    + Fix bug where installto.sh/update.sh scripts were removing some essential options from the config file
    + Fix regression that broke use_secure_urls feature
    + Fix potential PHP fatal error when opening a message with message/rfc822 part
    + Fix bug where a duplicate `<title>` tag in HTML email could cause some parts being cut off
    + Fix bug where a list of folders could have been sorted incorrectly
    + Fix regression where LDAP addressbook 'filter' option was ignored
    + Fix wrong order of a multi-folder search result when sorting by size
    + Fix so install/update scripts do not require PEAR
    + Fix regression where some mail parts could have been decoded incorrectly, or not at all
    + Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to non-binary FETCH
    + Fix PHP8 deprecation warning in the reconnect plugin
    + Fix "Show source" on mobile with x_frame_options = deny
    + Fix various PHP warnings
    + Fix deprecated use of ldap_connect() in password's ldap_simple driver
    + Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages (CVE-2023-43770)
    + Add Uyghur localization
    + Fix regression in OAuth request URI caused by use of REQUEST_URI instead of SCRIPT_NAME as a default
    + Fix bug where false attachment reminder was displayed on HTML mail with inline images
    + Fix bug where a non-ASCII character in app.js could cause error in javascript engine
    + Fix JWT decoding with url safe base64 schema
    + Fix bug where .wav instead of .mp3 file was used for the new mail notification in Firefox
    + Fix PHP8 warning
    + Fix support for Windows-31J charset
    + Fix so LDAP VLV option is disabled by default as documented
    + Fix so an email address with name is supported as input to the managesieve notify :from parameter
    + Fix Help plugin menu
    + Fix invalid onclick handler on the logo image when using non-array skin_logo setting
    + Fix duplicate recipients in "To" and "Cc" on reply
    + Fix bug where it wasn't possible to scroll lists by clicking middle mouse button
    + Fix bug where label text in a single-input dialog could be partially invisible in some locales
    + Fix bug where LDAP (fulltext) search didn't work without 'search_fields' in config
    + Fix extra leading newlines in plain text converted from HTML
    + Fix so recipients with a domain ending with .s are allowed
    + Fix so vCard output does not contain non-standard/redundant TYPE=OTHER and TYPE=INTERNET
    + Fix QR code images for contacts with non-ASCII characters
    + Fix PHP8 warnings when using list_flags and list_cols properties by plugins
    + Fix bug where subfolders could loose subscription on parent folder rename
    + Fix connecting to LDAP using an URI with ldapi:// scheme
    + Fix insecure shell command params handling in cmd_learn driver of markasjunk plugin
    + Fix bug where some mail headers didn't work in cmd_learn driver of markasjunk plugin
    + Fix PHP fatal error when importing vcf file using PHP 8.2
    + Fix so output of log_date_format with microseconds contains time in server time zone, not UTC
  * roundcube-core.cron: Trigger gc twice every hour. (Closes: #1043395)
  * Fix GuzzleHttp autoload location. (Closes: #1040705)
  * d/p/fix-autoload-location.patch: Set ‘Forwarded: not-needed’ DEP-3 header.
  * Test suite: Adjust short date test to make it work with all ICUs. (Closes: #1030161)
  * Add Romanian debconf templates translation. (Closes: #1033468)
  * d/gbp.conf, d/README.source: Remove obsolete comment.
  * d/sql/mysql/1.3.0-1: Move inline comment.
  * d/p/fix-short-date-test-icu72.patch: Remove patch applied upstream.
  * Refresh d/patches.

[ Other info ]

In addition to the debdiff.gz between 1.6.1+dfsg-1 (bookworm) and 1.6.3+dfsg-1~deb12u1,
I attach a patch-applied diff excluding upstream's tests/**, program/localization/**,
and plugins/*/localization/**, which should more accurately show what
this p-u is about.

If you think that 1.6.3+dfsg-1~deb12u1 is beyond the scope of bookworm-pu then
I'll prepare another upload, this time backporting the aforementioned
regressions and security issue instead of following the upstream stable
branch.

-- 
Guilhem.

Attachment: roundcube.debdiff.gz
Description: application/gzip

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 12.2

The upload requested in this bug has been released as part of 12.2.

--- End Message ---
Reply to: