Summary: | <mail-client/roundcube-1.5.0: Homograph vulnerability (punycode mishandling) (CVE-2019-15237) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | candrews, gentoo_bugs_peep, titanofold, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/roundcube/roundcubemail/issues/6891 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=720876 | ||
Whiteboard: | B4 [glsa? cleanup cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 824918, 830889 | ||
Bug Blocks: |
Description
Sam James
2020-03-02 01:47:59 UTC
Figured I'd mention that titanofold removed <mail-client/roundcube-1.3.11 on Jul 23, 2020/07/23 in [1]. So this has been "fixed". [1] https://github.com/gentoo/gentoo/commit/637bca0e8feef63e8d6578d81bf342ac1d8e1e65#diff-b5ae4bfcb2dce94d36eeba44230d3e1bc8e0b9212d774369dbfd89dae975df29 (In reply to Philippe Chaintreuil from comment #1) > Figured I'd mention that titanofold removed <mail-client/roundcube-1.3.11 on > Jul 23, 2020/07/23 in [1]. So this has been "fixed". > > [1] > https://github.com/gentoo/gentoo/commit/ > 637bca0e8feef63e8d6578d81bf342ac1d8e1e65#diff- > b5ae4bfcb2dce94d36eeba44230d3e1bc8e0b9212d774369dbfd89dae975df29 Where's the fix upstream? It doesn't look like the upstream issue has been resovled. (In reply to John Helmert III from comment #2) > (In reply to Philippe Chaintreuil from comment #1) > > Figured I'd mention that titanofold removed <mail-client/roundcube-1.3.11 on > > Jul 23, 2020/07/23 in [1]. So this has been "fixed". > > > > [1] > > https://github.com/gentoo/gentoo/commit/ > > 637bca0e8feef63e8d6578d81bf342ac1d8e1e65#diff- > > b5ae4bfcb2dce94d36eeba44230d3e1bc8e0b9212d774369dbfd89dae975df29 > > Where's the fix upstream? It doesn't look like the upstream issue has been > resovled. https://github.com/roundcube/roundcubemail/commit/b913d2fbdef8c351273ee12e307405e04eb0d550 ... so it should be fixed in 1.5.0. Please cleanup |