Please sync roundcube from Debian sid version 0.9.4-1.1 or greater

Following https://wiki.ubuntu.com/SyncRequestProcess#Content_of_a_sync_request

Changelog entries since 0.9.2-2:
roundcube (0.9.4-1.1) unstable; urgency=high

  * Non-maintainer upload.
  * Add CVE-2013-6172.patch patch.
    CVE-2013-6172: An attacker can overwrite configuration settings using
    user preferences. This can result in random file access and manipulated
    SQL queries. (Closes: #727668)

 -- Salvatore Bonaccorso <email address hidden> Sat, 26 Oct 2013 21:47:22 +0200

roundcube (0.9.4-1) unstable; urgency=low

  * New upstream version.
     + Fix CVE-2013-5645 (Closes: #721592)
     + "Enigma" plugin has been removed.

 -- Vincent Bernat <email address hidden> Sun, 08 Sep 2013 13:52:46 +0200

0.9.5-1 is currently in Ubuntu 14.04.

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

I created a debdiff of the changes between 0.9.2-2 and 0.9.5-1. I had a look through the upstream git repository, but it was a bit difficult to find the specific commits that fixed the CVEs. Looking through the upstream changelog, it seems that there were mostly bugfixes between the 0.9.2 and 0.9.5 releases.

David, thanks for the debiff, however it contains the full changeset from 0.9.2-2 to 0.9.5-1. For this issue to be fixed, you'll want to cherrypick the patches fixing the security issues and resubmit a debdiff with only these changes by following https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

NAK for the attached debdiff. Unsubscribing ubuntu-sponsors. David, when you supply an updated debdiff, please feel free to resubscribe ubuntu-security-sponsors. Thanks!

Sorry, I don't have enough knowledge of Roundcube to figure out the relevant fixes for CVE-2013-5645, which was fixed in Debian by updating the package to 0.9.4-1. CVE-2013-6172 was fixed with https://github.com/roundcube/roundcubemail/commit/70c7df8faa5a9023a2773dc5a38932f1ad3a84aa applied on top of that.

saucy has seen the end of its life and is no longer receiving any updates. Marking the saucy task for this ticket as "Won't Fix".