[Pkg-roundcube-maintainers] roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content
Guilhem Moulin
guilhem at debian.org
Wed Jan 12 15:07:03 GMT 2022
Hi Sylvain!
On Wed, 12 Jan 2022 at 15:48:51 +0100, Sylvain Beucler wrote:
> On 12/01/2022 14:15, Guilhem Moulin wrote:
>> In a recent post roundcube webmail upstream has announced the following
>> security fix for #1003027.
>>
>> CVE-2021-46144: Cross-site scripting (XSS) vulnerability via HTML
>> messages with malicious CSS content.
>>
>> (Upstream only released fixes for 1.4 and 1.5 LTS branches, but 1.2 and
>> 1.3 are affected too and the same fix applies cleanly. buster- and
>> bullseye-security are no longer affected.)
>>
>> Debdiff against 1.2.3+dfsg.1-4+deb9u9 tested and attached. I can upload
>> if you'd like but would appreciate if you could take care of the DLA :-)
>
> Thanks for the update. Go ahead and upload to stretch-security, and I'll
> publish the DLA accordingly :)
Uploaded to security-master, thank you!
> (out of curiosity, was there an issue with keeping the
> "$this->config['charset']" bit from the original patch?)
Ah yeah, forgot to mention that bit :-) There was no issue as far as I
could tell. I don't have a strong opinion either way, but given
htmlspecialchars()'s optional 3rd argument was added for 1.4-beta in
https://github.com/roundcube/roundcubemail/commit/73ea8f94d01a87c3b9e83c96d1b795ca27151f16
I decided to drop it for stretch- and buster-security uploads.
Cheers,
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20220112/db87f662/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list