[Pkg-roundcube-maintainers] Bug#1003027: roundcube: XSS vulnerability via HTML messages with malicious CSS content

Guilhem Moulin guilhem at debian.org
Sun Jan 2 21:50:25 GMT 2022


Package: roundcube
Severity: important
Tags: security
Control: found -1 1.3.17+dfsg.1-1~deb10u1
Control: found -1 1.4.12+dfsg.1-1~deb11u1
Control: fixed -1 1.5.1+dfsg-1

In a recent post roundcube webmail upstream has announced a fix for a
cross-site scripting (XSS) vulnerability via HTML messages with
malicious CSS content.

Upstream fix for the 1.4 LTS branch:
https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8

There was no new 1.3 LTS release but AFAICT 1.3 is affected as well and
the same fix applies.

-- 
Guilhem.

[0] https://roundcube.net/news/2021/12/30/security-update-1.4.13-released
    https://roundcube.net/news/2021/12/30/update-1.5.2-released
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20220102/e0b5d11e/attachment.sig>


More information about the Pkg-roundcube-maintainers mailing list