[Pkg-roundcube-maintainers] Bug#1056702: roundcube: Cross-site scripting (XSS) vulnerability
Martin Dosch
martin at mdosch.de
Fri Nov 24 22:56:01 GMT 2023
Package: roundcube
Severity: important
Dear Maintainer,
upstream released version 1.6.5 which fixes a cross-site scripting (XSS)
vulnerability in setting Content-Type/Content-Disposition for attachment
preview/download reported by Rene Rehme: https://github.com/roundcube/roundcubemail/releases/tag/1.6.5
It would be awesome if this could be packaged and added to the upcoming
point release.
Best regards,
Martin
-- System Information:
Debian Release: 12.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages roundcube depends on:
ii dpkg 1.21.22
pn roundcube-core <none>
roundcube recommends no packages.
roundcube suggests no packages.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20231124/80f07eab/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list