[Pkg-roundcube-maintainers] roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious SVG or math content

Salvatore Bonaccorso carnil at debian.org
Tue Aug 11 19:47:05 BST 2020


Hi Guilhem,

On Tue, Aug 11, 2020 at 06:29:58PM +0200, Guilhem Moulin wrote:
> Dear security team,
> 
> In a recent post roundcube webmail upstream has announced the following
> security fix for #968216:
> 
>     Cross-site scripting (XSS) via HTML messages with malicious SVG
>     or math content (CVE-2020-16145)
> 
> AFAICT CVE-2020-16145 is only about SVG not math, but the upstream
> commit addresses both so I opened a single bug:
> https://github.com/roundcube/roundcubemail/commit/d44ca2308a96576b88d6bf27528964d4fe1a6b8b
> 
> The package in buster is currently following the 1.3 branch (1.3.15
> contains only only the targeted fix).  Debdiff tested and attached, but
> I'd appreciate if you could take care of the DSA :-)

Thank you, please do upload to security-master! (Needs to build with
-sa).

Regards,
Salvatore



More information about the Pkg-roundcube-maintainers mailing list