[Pkg-roundcube-maintainers] Bug#1077969: roundcube: CVE-2024-42008, CVE-2024-42009, CVE-2024-42010: XSS and information leak vulnerabilities
Guilhem Moulin
guilhem at debian.org
Mon Aug 5 10:29:20 BST 2024
Source: roundcube
Version: 1.6.7+dfsg-1
Severity: important
Found: -1 1.4.15+dfsg.1-1+deb11u3
Found: -1 1.6.5+dfsg-1+deb12u2
Tags: upstream security
Roundcube webmail upstream has recently released 1.6.8 [0] which fixes
the following vulnerabilities:
* CVE-2024-42008: XSS vulnerability in serving of attachments other
than HTML or SVG
https://github.com/roundcube/roundcubemail/commit/89c8fe9ae9318c015807fbcbf7e39555fb30885d
* CVE-2024-42009: XSS vulnerability in post-processing of sanitized
HTML content
https://github.com/roundcube/roundcubemail/commit/68af7c864a36e1941764238dac440ab0d99a8d26
* CVE-2024-42010: information leak (access to remote content) via
insufficient CSS filtering
https://github.com/roundcube/roundcubemail/commit/602d0f566eb39b6dcb739ad78323ec434a3b92ce
--
Guilhem.
[0] https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20240805/c43b5b03/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list