Hi there,
Your download page lists the SHA256 checksums of the tarballs to let users verify the integrity of the downloaded file(s). To address a different threat model and offer integrity verification of cryptographic quality [0], please also consider signing your git tags (with ‘git tag --sign’), and/or provide detached cryptographic signatures for the future release tarballs.
As far as Debian is concerned a detached OpenPGP signature would be preferable since our packaging tools can automatically download tarballs and cryptographically verify their integrity in one go. Assuming you have an OpenPGP key [1], an ASCII armored (.asc) detached signature can be generated with
gpg --armor --detach-sign /path/to/roundcubemail-x.y.z.tar.gz
Completely unrelated, please note that the “1.1.3 — Dependent” tarball includes moxieplayer.swf, while the last mention of moxieplayer in your changelog says “TinyMCE security issue: removed moxieplayer (embedding flv and mp4 is not supported anymore)”. Was it re-added by mistake? (Anyway that file is violates the DFSG and will be removed from the upcoming 1.1.3 Debian packages.)
Thanks! Cheers,
On 10/18/2015 01:23 AM, Guilhem Moulin wrote:
Completely unrelated, please note that the “1.1.3 — Dependent” tarball includes moxieplayer.swf, while the last mention of moxieplayer in your changelog says “TinyMCE security issue: removed moxieplayer (embedding flv and mp4 is not supported anymore)”. Was it re-added by mistake? (Anyway that file is violates the DFSG and will be removed from the upcoming 1.1.3 Debian packages.)
The file was re-added with update to TinyMCE 4.x. I don't know if it's still vulnerable, the file is in a newer version according to git.
Thomas, do you remember what vulnerability it was?
On Wed, Oct 21, 2015 at 8:54 PM, A.L.E.C alec@alec.pl wrote:
On 10/18/2015 01:23 AM, Guilhem Moulin wrote:
Completely unrelated, please note that the “1.1.3 — Dependent” tarball includes moxieplayer.swf, while the last mention of moxieplayer in your changelog says “TinyMCE security issue: removed moxieplayer (embedding flv and mp4 is not supported anymore)”. Was it re-added by mistake? (Anyway that file is violates the DFSG and will be removed from the upcoming 1.1.3 Debian packages.)
The file was re-added with update to TinyMCE 4.x. I don't know if it's still vulnerable, the file is in a newer version according to git.
Thomas, do you remember what vulnerability it was?
Finally I found it. I just forwarded the original report to you. And here's a related commit which removed that file back in 2011: https://github.com/roundcube/roundcubemail/commit/d6284b4d22d1e
According to this page http://cxsecurity.com/issue/WLB-2013070017 the vulnerability has been fixed in TinyMCE 4.0 which we have in Roundcube 1.1.
Cheer, Thomas
On 01/02/2016 02:34 PM, Thomas Bruederli wrote:
According to this page http://cxsecurity.com/issue/WLB-2013070017 the vulnerability has been fixed in TinyMCE 4.0 which we have in Roundcube 1.1.
And I couldn't reproduce the described issue anymore.