[Pkg-roundcube-maintainers] Bug#857473: roundcube: XSS issue in handling of a style tag inside of an svg element

Salvatore Bonaccorso carnil at debian.org
Sat Mar 11 19:29:11 UTC 2017


Source: roundcube
Version: 1.2.3+dfsg.1-1
Severity: important
Tags: security patch upstream fixed-upstream

Hi

1.2.4 roundcube release fixed a XSS issue in handling of a style tag
inside of an svg element.

AFAICT, this issue has not yet a CVE assigned, thus I have requested
one. 

Fixed by:

https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305
https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4

Upstream changelog:
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-124
https://github.com/roundcube/roundcubemail/releases/tag/1.1.8

Can you make sure the isolated fix (unless 1.2.4 get acked by the
release team), makes it into stretch and ask for an unblock for it?

Regards,
Salvatore



More information about the Pkg-roundcube-maintainers mailing list