-2

For almost four weeks, since October 18th, there is a vulnerability in roundcube, including CVE-2023-5631, and the status still is: needs triage. When will this be solved and will it get a released status so this vulnerability issue will be resolved? In Debian this is bug has been solved long ago. This is taking too long now for a medium priority.

F. Luteijn
  • 1

1 Answers1

2

You're generally addressing this in the wrong space. Nobody (or at least very few) here are involved in backporting packages for the Universe repositories.

You should instead contact the MOTU (Masters of the Universe) maintainers, as indicated on the Roundcube package page (perhaps through the mailing list or on Launchpad).

Also, since nobody can look into the future, this will probably be closed as "opinion based". And finally, complaining about the state of things won't really help anything at all.

Artur Meinild
  • 31,385
  • Thank you for your reply. I will kick someone there. Maybe that helps and they'll start doing their work. – F. Luteijn Nov 13 '23 at 15:10
  • 3
    Kick thyself first. The process for patching Universe packages is that a community member (like you!) does the patching and testing. Then they contact a MOTU "Hey I have this patched package that mitigates CVE-2023-5631", with a cc: to the Ubuntu Security Team. Alternately, paid Ubuntu Pro subscribers (not free tier) can reach out to their support contact for a Canonical engineer to do the work. – user535733 Nov 13 '23 at 15:23