[Pkg-roundcube-maintainers] Bug#1000156: roundcube: XSS vulnerability in handling attachment filename extension in MIME type mismatch warnings
Guilhem Moulin
guilhem at debian.org
Thu Nov 18 18:25:02 GMT 2021
Source: roundcube
Severity: important
Tags: security
Control: found -1 1.3.16+dfsg.1-1~deb10u1
Control: found -1 1.4.11+dfsg.1-4
Control: fixed -1 1.5.0+dfsg.1-1
In a recent post roundcube webmail upstream has announced the
following security fixes:
* Fix XSS issue in handling attachment filename extension in mimetype
mismatch warning
* Fix possible SQL injection via some session variables
sid/bookworm's 1.5.0+dfsg.1-2 is not affected. Upstream fixes for LTS
branches:
1.4.x https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a
https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1
1.3.x https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7
https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa
--
Guilhem.
[0] https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-released
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20211118/fdfdbb7f/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list