openSUSE-SU-2024:0257-1: moderate: Security update for roundcubemail
openSUSE-SU-2024:0257-1: moderate: Security update for roundcubemail
openSUSE Security Update: Security update for roundcubemail
_______________________________
Announcement ID: openSUSE-SU-2024:0257-1
Rating: moderate
References: #1216895
Cross-References: CVE-2023-47272
CVSS scores:
CVE-2023-47272 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________
An update that fixes one vulnerability is now available.
Description:
This update for roundcubemail fixes the following issues:
Update to 1.6.7
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerabilities:
* Fix cross-site scripting (XSS) vulnerability in handling SVG animate
attributes. Reported by Valentin T. and Lutz Wolf of CrowdStrike.
* Fix cross-site scripting (XSS) vulnerability in handling list columns
from user preferences. Reported by Huy Nguyá»n Phạm Nháºt.
* Fix command injection via crafted im_convert_path/im_identify_path on
Windows. Reported by Huy Nguyá»n Phạm Nháºt.
CHANGELOG
* Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
* Fix bug where HTML entities in URLs were not decoded on HTML to plain
text conversion (#9312)
* Fix bug in collapsing/expanding folders with some special characters
in names (#9324)
* Fix PHP8 warnings (#9363, #9365, #9429)
* Fix missing field labels in CSV import, for some locales (#9393)
* Fix cross-site scripting (XSS) vulnerability in handling SVG animate
attributes
* Fix cross-site scripting (XSS) vulnerability in handling list columns
from user preferences
* Fix command injection via crafted im_convert_path/im_identify_path on
Windows
Update to 1.6.6:
* Fix regression in handling LDAP search_fields configuration parameter
(#9210)
* Enigma: Fix finding of a private key when decrypting a message using
GnuPG v2.3
* Fix page jump menu flickering on click (#9196)
* Update to TinyMCE 5.10.9 security release (#9228)
* Fix PHP8 warnings (#9235, #9238, #9242, #9306)
* Fix saving other encryption settings besides enigma's (#9240)
* Fix unneeded php command use in installto.sh and deluser.sh scripts
(#9237)
* Fix TinyMCE localization installation (#9266)
* Fix bug where trailing non-ascii characters in email addresses could
have been removed in recipient input (#9257)
* Fix IMAP GETMETADATA command with options - RFC5464
Update to 1.6.5 (boo#1216895):
* Fix cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment preview/download
CVE-2023-47272
Other changes:
* Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
* Fix duplicated Inbox folder on IMAP servers that do not use Inbox
folder with all capital letters (#9166)
* Fix PHP warnings (#9174)
* Fix UI issue when dealing with an invalid managesieve_default_headers
value (#9175)
* Fix bug where images attached to application/smil messages weren't
displayed (#8870)
* Fix PHP string replacement error in utils/error.php (#9185)
* Fix regression where smtp_user did not allow pre/post strings
before/after %u placeholder (#9162)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP5:
zypper in -t patch openSUSE-2024-257=1
Package List:
- openSUSE Backports SLE-15-SP5 (noarch):
roundcubemail-1.6.7-bp155.2.9.1
References:
https://www.suse.com/security/cve/CVE-2023-47272.html
https://bugzilla.suse.com/1216895
