[Pkg-roundcube-maintainers] Bug#1071474: roundcube: xx
Guilhem Moulin
guilhem at debian.org
Sun May 19 22:18:02 BST 2024
Source: roundcube
Version: 1.6.6+dfsg-2
Severity: important
Control: found -1 1.6.5+dfsg-1~deb12u1
Control: found -1 1.4.15+dfsg.1-1~deb11u2
Control: found -1 1.3.17+dfsg.1-1~deb10u5
Tags: security upstream
Roundcube webmail upstream has recently released 1.6.7 [0] which fixes
the following vulnerabilities:
* Fix command injection via crafted im_convert_path/im_identify_path
on Windows.
https://github.com/roundcube/roundcubemail/commit/7da322371fd00a54670a5d6679faae0fcbd3f229
* Fix cross-site scripting (XSS) vulnerability in handling list
columns from user preferences.
https://github.com/roundcube/roundcubemail/commit/9ca8aa6680c579132e0d1fa59447df8d524ec91c
* Fix cross-site scripting (XSS) vulnerability in handling SVG animate
attributes.
https://github.com/roundcube/roundcubemail/commit/ba252dc5e2946506cb8d0b50b2b7bf95ab51876f
AFAICT no CVE-ID has been published for these issues, I'll request them.
--
Guilhem.
[0] https://roundcube.net/news/2024/05/19/security-updates-1.6.7-and-1.5.7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20240519/7b459811/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list