[Pkg-roundcube-maintainers] roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious SVG or math content
Salvatore Bonaccorso
carnil at debian.org
Tue Aug 11 19:47:05 BST 2020
Hi Guilhem,
On Tue, Aug 11, 2020 at 06:29:58PM +0200, Guilhem Moulin wrote:
> Dear security team,
>
> In a recent post roundcube webmail upstream has announced the following
> security fix for #968216:
>
> Cross-site scripting (XSS) via HTML messages with malicious SVG
> or math content (CVE-2020-16145)
>
> AFAICT CVE-2020-16145 is only about SVG not math, but the upstream
> commit addresses both so I opened a single bug:
> https://github.com/roundcube/roundcubemail/commit/d44ca2308a96576b88d6bf27528964d4fe1a6b8b
>
> The package in buster is currently following the 1.3 branch (1.3.15
> contains only only the targeted fix). Debdiff tested and attached, but
> I'd appreciate if you could take care of the DSA :-)
Thank you, please do upload to security-master! (Needs to build with
-sa).
Regards,
Salvatore
More information about the Pkg-roundcube-maintainers
mailing list