[Pkg-roundcube-maintainers] Bug#1000156: roundcube: XSS vulnerability in handling attachment filename extension in MIME type mismatch warnings
Salvatore Bonaccorso
carnil at debian.org
Fri Nov 19 07:29:59 GMT 2021
Hi,
On Thu, Nov 18, 2021 at 07:25:02PM +0100, Guilhem Moulin wrote:
> Source: roundcube
> Severity: important
> Tags: security
> Control: found -1 1.3.16+dfsg.1-1~deb10u1
> Control: found -1 1.4.11+dfsg.1-4
> Control: fixed -1 1.5.0+dfsg.1-1
>
> In a recent post roundcube webmail upstream has announced the
> following security fixes:
>
> * Fix XSS issue in handling attachment filename extension in mimetype
> mismatch warning
> * Fix possible SQL injection via some session variables
>
> sid/bookworm's 1.5.0+dfsg.1-2 is not affected. Upstream fixes for LTS
> branches:
>
> 1.4.x https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a
> https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1
> 1.3.x https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7
> https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa
CVEs are assigned as follows (by MITRE):
CVE-2021-44025 for th XSS issue
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44025
CVE-2021-44026 for the SQL injection.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44026
Regards,
Salvatore
More information about the Pkg-roundcube-maintainers
mailing list