Debian Package Tracker

general

source: roundcube (main)
version: 1.3.8+dfsg.1-2
maintainer: Debian Roundcube Maintainers (archive) (DMD)
uploaders: Vincent Bernat [DMD] – Guilhem Moulin [DMD] – Sandro Knauß [DMD]
arch: all
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 1.2.3+dfsg.1-4+deb9u3
old-sec: 1.2.3+dfsg.1-4+deb9u3
stable: 1.3.8+dfsg.1-2
testing: 1.3.8+dfsg.1-2
unstable: 1.3.8+dfsg.1-2
exp: 1.4~rc1+dfsg.2-1

versioned links

1.2.3+dfsg.1-4+deb9u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.8+dfsg.1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.4~rc1+dfsg.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

roundcube (14 bugs: 0, 7, 7, 0)
roundcube-core
roundcube-mysql
roundcube-pgsql
roundcube-plugins
roundcube-sqlite3

action needed

A new upstream version is available: 1.4~beta high

A new upstream version 1.4~beta is available, you should consider packaging it.

Created: 2018-07-28 Last update: 2019-10-18 03:12

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2019-06-06 Last update: 2019-10-13 12:16

3 security issues in stretch high

There are 3 open security issues in stretch.

1 important issue:

CVE-2019-15237: Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.

2 issues skipped by the security teams:

CVE-2019-10740: In Roundcube Webmail 1.3.4, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker.
CVE-2018-19205: Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated with plugins/enigma/lib/enigma_driver_gnupg.php.

Please fix them.

Created: 2018-11-12 Last update: 2019-09-01 03:36

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2019-10740: In Roundcube Webmail 1.3.4, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker.
CVE-2019-15237: Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.

Please fix them.

Created: 2019-04-07 Last update: 2019-09-01 03:36

2 security issues in buster high

There are 2 open security issues in buster.

1 important issue:

CVE-2019-15237: Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.

1 issue skipped by the security teams:

CVE-2019-10740: In Roundcube Webmail 1.3.4, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker.

Please fix them.

Created: 2019-04-07 Last update: 2019-09-01 03:36

2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:

CVE-2019-10740: In Roundcube Webmail 1.3.4, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker.
CVE-2019-15237: Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.

Please fix them.

Created: 2019-07-07 Last update: 2019-09-01 03:36

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2019-04-01 Last update: 2019-10-18 03:04

Depends on packages which need a new maintainer normal

The packages that roundcube depends on which need a new maintainer are:

apache2 (#910917)
- Recommends: apache2
lighttpd (#898110)
- Recommends: lighttpd

Created: 2018-05-07 Last update: 2019-10-18 00:36

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.1 instead of 4.2.1).

Created: 2018-12-23 Last update: 2019-09-29 23:40

news

[rss feed]

[2019-06-11] Accepted roundcube 1.4~rc1+dfsg.2-1 (source) into experimental (Guilhem Moulin)
[2018-11-28] Accepted roundcube 1.2.3+dfsg.1-4+deb9u3 (source all) into proposed-updates->stable-new, proposed-updates (Guilhem Moulin)
[2018-11-24] Accepted roundcube 1.2.3+dfsg.1-4+deb9u3 (source all) into stable->embargoed, stable (Guilhem Moulin)
[2018-11-10] roundcube 1.3.8+dfsg.1-2 MIGRATED to testing (Debian testing watch)
[2018-11-05] Accepted roundcube 1.3.8+dfsg.1-2 (source all) into unstable (Guilhem Moulin)
[2018-11-03] Accepted roundcube 1.3.8+dfsg.1-1 (source all) into unstable (Guilhem Moulin)
[2018-04-30] Accepted roundcube 1.2.3+dfsg.1-4+deb9u2 (source all) into proposed-updates->stable-new, proposed-updates (Guilhem Moulin)
[2018-04-28] Accepted roundcube 1.2.3+dfsg.1-4+deb9u2 (source all) into stable->embargoed, stable (Guilhem Moulin)
[2018-04-20] roundcube 1.3.6+dfsg.1-1 MIGRATED to testing (Debian testing watch)
[2018-04-14] Accepted roundcube 1.3.6+dfsg.1-1 (source all) into unstable (Guilhem Moulin)
[2017-11-28] Accepted roundcube 0.7.2-9+deb7u9 (source all) into oldoldstable (Roberto C. Sanchez)
[2017-11-25] roundcube 1.3.3+dfsg.1-2 MIGRATED to testing (Debian testing watch)
[2017-11-20] Accepted roundcube 1.3.3+dfsg.1-2 (source all) into unstable (Guilhem Moulin)
[2017-11-12] Accepted roundcube 1.2.3+dfsg.1-4+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates (Guilhem Moulin)
[2017-11-11] roundcube 1.3.3+dfsg.1-1 MIGRATED to testing (Debian testing watch)
[2017-11-09] Accepted roundcube 1.3.3+dfsg.1-1 (source all) into unstable (Guilhem Moulin)
[2017-09-16] roundcube 1.3.1+dfsg.1-1 MIGRATED to testing (Debian testing watch)
[2017-09-10] Accepted roundcube 1.3.1+dfsg.1-1 (source) into unstable (Sandro Knauß)
[2017-08-28] roundcube 1.3.0+dfsg.1-1 MIGRATED to testing (Debian testing watch)
[2017-08-22] Accepted roundcube 1.3.0+dfsg.1-1 (source) into unstable (Sandro Knauß)
[2017-07-27] Accepted roundcube 0.7.2-9+deb7u8 (source all) into oldoldstable (Markus Koschany)
[2017-06-06] Accepted roundcube 1.1.5+dfsg.1-1~bpo8+5 (source all) into jessie-backports->backports-policy, jessie-backports (Guilhem Moulin) (signed by: Vincent Bernat)
[2017-05-12] roundcube 1.2.3+dfsg.1-4 MIGRATED to testing (Debian testing watch)
[2017-05-07] Accepted roundcube 0.7.2-9+deb7u7 (source all) into oldstable (Markus Koschany)
[2017-05-02] Accepted roundcube 1.2.3+dfsg.1-4 (source all) into unstable (Guilhem Moulin) (signed by: Vincent Bernat)
[2017-03-17] roundcube 1.2.3+dfsg.1-3 MIGRATED to testing (Debian testing watch)
[2017-03-14] Accepted roundcube 1.1.5+dfsg.1-1~bpo8+4 (source all) into jessie-backports->backports-policy, jessie-backports (Guilhem Moulin) (signed by: Vincent Bernat)
[2017-03-14] Accepted roundcube 1.2.3+dfsg.1-3 (source all) into unstable (Guilhem Moulin) (signed by: Vincent Bernat)
[2017-03-14] Accepted roundcube 1.2.3+dfsg.1-2 (source all) into unstable (Guilhem Moulin) (signed by: Vincent Bernat)
[2017-03-13] Accepted roundcube 0.7.2-9+deb7u6 (source all) into oldstable (Markus Koschany)

bugs [bug history graph]

all: 19
RC: 0
I&N: 9
M&W: 7
F&P: 3
patch: 1

links

homepage
lintian
buildd: logs, exp, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots