[Pkg-roundcube-maintainers] Bug#1054079: roundcube: cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages
Guilhem Moulin
guilhem at debian.org
Mon Oct 16 19:24:12 BST 2023
Source: roundcube
Version: 1.6.3+dfsg-2
Severity: important
Tags: security upstream
Control: found -1 1.3.17+dfsg.1-1~deb10u3
Control: found -1 1.4.14+dfsg.1-1~deb11u1
Control: found -1 1.6.3+dfsg-1~deb12u1
Control: forwarded -1 https://github.com/roundcube/roundcubemail/issues/9168
In a recent post roundcube webmail upstream has announced the
following security fix:
* Fix cross-site scripting (XSS) vulnerability in handling of SVG in
HTML messages.
AFAICT no CVE ID has been assigned or requested yet, so I'll file a
request to that effect. Upstream fixes for stable and LTS branches:
1.6.x https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d
1.4.x https://github.com/roundcube/roundcubemail/commit/7b2df52ede57bab9e87e9c3bc00601eeca591a5e
https://github.com/roundcube/roundcubemail/commit/dc7b6850c68870570b438d79c0949a5031522127
1.3.x is no longer supported upstream but AFAICT affected nonetheless.
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20231016/5bebb7c6/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list