[Pkg-roundcube-maintainers] Security issue (CVE-2021-46144) in roundcube 1.3.17+dfsg.1-1~deb10u1 and 1.4.12+dfsg.1-1~deb11u1

Sébastien Delafond seb at debian.org
Thu Jan 6 12:38:33 GMT 2022


On 06/01 11:51, Guilhem Moulin wrote:
> In a recent post roundcube webmail upstream has announced a fix for a
> cross-site scripting (XSS) vulnerability via HTML messages with
> malicious CSS content.  This was assigned CVE-2021-46144 (thanks to
> carnil for the assignment)!
> 
> Upstream fix for the 1.4 LTS branch:
> https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8
> 
> There was no new 1.3 LTS release but AFAICT buster's
> 1.3.17+dfsg.1-1~deb10u1 is affected as well and the same fix applies.
> debdiffs attached for oldstable- and stable-security.  (The fix itself
> comes from upstream's 1.4.13, but I had to tweak the test vector to
> make the test suite pass on bullseye.) Both version have been tested.

Thank you Guilhem, I will review those shortly.

Cheers,

-- 
Seb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20220106/2802fe94/attachment.sig>


More information about the Pkg-roundcube-maintainers mailing list