[Pkg-roundcube-maintainers] roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content
Sylvain Beucler
beuc at beuc.net
Wed Jan 12 14:48:51 GMT 2022
Hello Guilhem,
On 12/01/2022 14:15, Guilhem Moulin wrote:
> In a recent post roundcube webmail upstream has announced the following
> security fix for #1003027.
>
> CVE-2021-46144: Cross-site scripting (XSS) vulnerability via HTML
> messages with malicious CSS content.
>
> (Upstream only released fixes for 1.4 and 1.5 LTS branches, but 1.2 and
> 1.3 are affected too and the same fix applies cleanly. buster- and
> bullseye-security are no longer affected.)
>
> Debdiff against 1.2.3+dfsg.1-4+deb9u9 tested and attached. I can upload
> if you'd like but would appreciate if you could take care of the DLA :-)
Thanks for the update. Go ahead and upload to stretch-security, and I'll
publish the DLA accordingly :)
(out of curiosity, was there an issue with keeping the
"$this->config['charset']" bit from the original patch?)
Cheers!
Sylvain Beucler
Debian LTS Team
More information about the Pkg-roundcube-maintainers
mailing list