Summary: | <mail-client/roundcube-1.4.5: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Philippe Chaintreuil <gentoo_bugs_peep> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | bertrand, titanofold, web-apps |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://github.com/gentoo/gentoo/pull/16055 https://bugs.gentoo.org/show_bug.cgi?id=720876 https://bugs.gentoo.org/show_bug.cgi?id=727534 |
||
Whiteboard: | B4 [noglsa] | ||
Package list: |
mail-client/roundcube-1.4.6
|
Runtime testing required: | --- |
Description
Philippe Chaintreuil
2020-06-03 14:24:14 UTC
*** Bug 726948 has been marked as a duplicate of this bug. *** "Roundcube 1.3.12 has been released. It's a bug fix release that addresses some security issues. These usually work by just renaming the existing ebuild. Announcement: https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12 Changelog: https://github.com/roundcube/roundcubemail/releases/tag/1.3.12 Reproducible: Always" Would you mind doing a PR for that too, or are we just going to kill off that series? > Would you mind doing a PR for that too, or are we just going to kill off that series?
I don't run the 1.3.x line on my machine, so I wouldn't be able to test it. And I wouldn't feel right putting forth a PR I haven't tested. (Although, again, 98% just renaming the old ebuild has worked and that's likely to be the case here.)
I don't have any insight into if users are sticking to 1.3.x for a reason, or if they just haven't been cleaned up yet. That'd be titanofold's call as maintainer, I'd expect. (Perhaps masking the 1.3.x ebuilds to see if anyone complains would be a way to confirm if they're being used?)
Just a heads up there's an installer regression in 1.4.5 & 1.3.12, so they've released new versions with the single fix: https://roundcube.net/news/2020/06/07/updates-1.4.6-and-1.3.13-released roundcube-1.4.6 just got added to the tree[1]. 1.4.6 is just 1.4.5 plus fixing the installer check that 1.4.5 broke, so one might consider acting on that version rather than 1.4.5 directly re:stabilization, etc. [1] See bug #727534. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=637bca0e8feef63e8d6578d81bf342ac1d8e1e65 commit 637bca0e8feef63e8d6578d81bf342ac1d8e1e65 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2020-07-23 20:31:54 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2020-07-23 20:39:56 +0000 mail-client/roundcube: Cleanup Bug: https://bugs.gentoo.org/720876 Bug: https://bugs.gentoo.org/726944 Closes: https://bugs.gentoo.org/705388 Package-Manager: Portage-2.3.99, Repoman-2.3.23 Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org> mail-client/roundcube/Manifest | 7 -- mail-client/roundcube/roundcube-1.3.10.ebuild | 96 --------------------------- mail-client/roundcube/roundcube-1.3.8.ebuild | 96 --------------------------- mail-client/roundcube/roundcube-1.3.9.ebuild | 96 --------------------------- mail-client/roundcube/roundcube-1.4.0.ebuild | 73 -------------------- mail-client/roundcube/roundcube-1.4.1.ebuild | 73 -------------------- mail-client/roundcube/roundcube-1.4.2.ebuild | 73 -------------------- mail-client/roundcube/roundcube-1.4.3.ebuild | 73 -------------------- 8 files changed, 587 deletions(-) Seems like we should be stabilising 1.4.6? amd64 stable. arm, ppc{,64}, sparc, x86 stable by ALLARCHES. Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=459a41c99baf3612d50ae11d0a66dd871e9e9e97 commit 459a41c99baf3612d50ae11d0a66dd871e9e9e97 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-29 00:19:25 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-29 00:19:38 +0000 mail-client/roundcube: security cleanup Bug: https://bugs.gentoo.org/726944 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> mail-client/roundcube/Manifest | 2 - .../roundcube-1.3.7-pear-removed-installed.json | 226 --------------------- mail-client/roundcube/metadata.xml | 3 - mail-client/roundcube/roundcube-1.3.11.ebuild | 97 --------- mail-client/roundcube/roundcube-1.4.4.ebuild | 73 ------- 5 files changed, 401 deletions(-) |