CVE-2021-44026 (https://bugs.debian.org/1000156): Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. Please bump.
Another, CVE-2021-44025: Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.
Might just be easiest to drop the 1.4.11 ebuild and stabilize 1.5.0. (That said, historically, Roundcube ebuild bumps are just a straight copy with a new name, so it's not like they're difficult.)
(In reply to Philippe Chaintreuil from comment #2) > Might just be easiest to drop the 1.4.11 ebuild and stabilize 1.5.0. > > (That said, historically, Roundcube ebuild bumps are just a straight copy > with a new name, so it's not like they're difficult.) Is 1.5.0 unaffected?
(In reply to John Helmert III from comment #3) > Is 1.5.0 unaffected? https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-released says the fixes were already in 1.5.0.
(In reply to Philippe Chaintreuil from comment #4) > (In reply to John Helmert III from comment #3) > > Is 1.5.0 unaffected? > > https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17- > released says the fixes were already in 1.5.0. Thanks, please stabilize when ready then.
*** Bug 829408 has been marked as a duplicate of this bug. ***
Security: can this be closed? There aren't any matching ebuilds in the tree anymore.
This still needs a decision on a security advisory, and yes, we are behind with those.