[Pkg-roundcube-maintainers] roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious SVG or math content
Roberto C. Sánchez
roberto at debian.org
Tue Aug 11 19:57:15 BST 2020
On Tue, Aug 11, 2020 at 01:40:48PM -0400, Roberto C. Sánchez wrote:
> On Tue, Aug 11, 2020 at 07:11:57PM +0200, Guilhem Moulin wrote:
> > Dear security team,
> >
> > In a recent post roundcube webmail upstream has announced the following
> > security fix for #968216:
> >
> > Cross-site scripting (XSS) via HTML messages with malicious SVG
> > or math content (CVE-2020-16145)
> >
> > AFAICT CVE-2020-16145 is only about SVG not math, but the upstream
> > commit addresses both so I opened a single bug:
> > https://github.com/roundcube/roundcubemail/commit/589d36010048300ed39f4887aab1afd3ae98d00e
> >
> > Debdiff tested and attached, but I'd appreciate if you could take care
> > of the DLA :-)
> >
> > Thanks!
> > Cheers,
> > --
> > Guilhem.
>
> Hi Guilhem,
>
> I'll take care of it shortly.
>
I have uploaded the updated, published the DLA to the mailing list and
submitted a Salsa MR for the advisory update on the website.
Regards,
-Roberto
--
Roberto C. Sánchez
More information about the Pkg-roundcube-maintainers
mailing list