Fedora Linux 8778 Published by

A roundcubemail security update has been released for Fedora 30.



SECURITY: Fedora 30 Update: roundcubemail-1.4.4-1.fc30


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2020-57f2df7424
2020-05-09 03:43:03.361473
--------------------------------------------------------------------------------

Name : roundcubemail
Product : Fedora 30
Version : 1.4.4
Release : 1.fc30
URL :   http://www.roundcube.net
Summary : Round Cube Webmail is a browser-based multilingual IMAP client
Description :
RoundCube Webmail is a browser-based multilingual IMAP client
with an application-like user interface. It provides full
functionality you expect from an e-mail client, including MIME
support, address book, folder manipulation, message searching
and spell checking. RoundCube Webmail is written in PHP and
requires a database: MySQL, PostgreSQL and SQLite are known to
work. The user interface is fully skinnable using XHTML and
CSS 2.

--------------------------------------------------------------------------------
Update Information:

**Version 1.4.4** This is a **service and security update** to the stable
version 1.4 of Roundcube Webmail. It contains four fixes for recently reported
security vulnerabilities as well a number of general improvements from our issue
tracker. - Fix bug where attachments with Content-Id were attached to the
message on reply (#7122) - Fix identity selection on reply when both sender and
recipient addresses are included in identities (#7211) - Elastic: Fix text
selection with Shift+PageUp and Shift+PageDown in plain text editor when using
Chrome (#7230) - Elastic: Fix recipient input bug when using click to select a
contact from autocomplete list (#7231) - Elastic: Fix color of a folder with
recent messages (#7281) - Elastic: Restrict logo size in print view (#7275) -
Fix invalid Content-Type for messages with only html part and inline images -
Mail_Mime-1.10.7 (#7261) - Fix missing contact display name in QR Code data
(#7257) - Fix so button label in Select image/media dialogs is "Close" not
"Cancel" (#7246) - Fix regression in testing database schema on MSSQL (#7227) -
Fix cursor position after inserting a group to a recipient input using
autocompletion (#7267) - Fix string literals handling in IMAP STATUS (and
various other) responses (#7290) - Fix bug where multiple images in a message
were replaced by the first one on forward/reply/edit (#7293) - Fix handling
keyservers configured with protocol prefix (#7295) - Markasjunk: Fix marking as
spam/ham on moving messages with Move menu (#7189) - Markasjunk: Fix bug where
moving to Junk was failing on messages selected with Select > All (#7206) - Fix
so imap error message is displayed to the user on folder create/update (#7245) -
Fix bug where a special folder couldn't be created if a special-use flag is not
supported (#7147) - Mailvelope: Fix bug where recipients with name were not
handled properly in mail compose (#7312) - Fix characters encoding in group
rename input after group creation/rename (#7330) - Fix bug where some
message/rfc822 parts could not be attached on forward (#7323) - Make install-
jsdeps.sh script working without the 'file' program installed (#7325) - Fix
performance issue of parsing big HTML messages by disabling HTML5 parser for
these (#7331) - Fix so Print button for PDF attachments works on Firefox >= 75
(#5125) - **Security**: Fix XSS issue in handling of CDATA in HTML messages -
**Security**: Fix remote code execution via crafted 'im_convert_path' or
'im_identify_path' settings - **Security**: Fix local file inclusion (and code
execution) via crafted 'plugins' option - **Security**: Fix CSRF bypass that
could be used to log out an authenticated user (#7302)
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 30 2020 Remi Collet - 1.4.4-1
- update to 1.4.4
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-57f2df7424' at the command
line. For more information, refer to the dnf documentation available at
  http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
  https://fedoraproject.org/keys