SUSE 5185 Published by

The following security update has been released for SUSE Linux Enterprise 15 SP5:

openSUSE-SU-2024:0257-1: moderate: Security update for roundcubemail




openSUSE-SU-2024:0257-1: moderate: Security update for roundcubemail


openSUSE Security Update: Security update for roundcubemail
_______________________________

Announcement ID: openSUSE-SU-2024:0257-1
Rating: moderate
References: #1216895
Cross-References: CVE-2023-47272
CVSS scores:
CVE-2023-47272 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for roundcubemail fixes the following issues:

Update to 1.6.7

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerabilities:

* Fix cross-site scripting (XSS) vulnerability in handling SVG animate
attributes. Reported by Valentin T. and Lutz Wolf of CrowdStrike.
* Fix cross-site scripting (XSS) vulnerability in handling list columns
from user preferences. Reported by Huy Nguyá»n Phạm Nhật.
* Fix command injection via crafted im_convert_path/im_identify_path on
Windows. Reported by Huy Nguyá»n Phạm Nhật.

CHANGELOG

* Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
* Fix bug where HTML entities in URLs were not decoded on HTML to plain
text conversion (#9312)
* Fix bug in collapsing/expanding folders with some special characters
in names (#9324)
* Fix PHP8 warnings (#9363, #9365, #9429)
* Fix missing field labels in CSV import, for some locales (#9393)
* Fix cross-site scripting (XSS) vulnerability in handling SVG animate
attributes
* Fix cross-site scripting (XSS) vulnerability in handling list columns
from user preferences
* Fix command injection via crafted im_convert_path/im_identify_path on
Windows

Update to 1.6.6:

* Fix regression in handling LDAP search_fields configuration parameter
(#9210)
* Enigma: Fix finding of a private key when decrypting a message using
GnuPG v2.3
* Fix page jump menu flickering on click (#9196)
* Update to TinyMCE 5.10.9 security release (#9228)
* Fix PHP8 warnings (#9235, #9238, #9242, #9306)
* Fix saving other encryption settings besides enigma's (#9240)
* Fix unneeded php command use in installto.sh and deluser.sh scripts
(#9237)
* Fix TinyMCE localization installation (#9266)
* Fix bug where trailing non-ascii characters in email addresses could
have been removed in recipient input (#9257)
* Fix IMAP GETMETADATA command with options - RFC5464

Update to 1.6.5 (boo#1216895):

* Fix cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment preview/download
CVE-2023-47272

Other changes:

* Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
* Fix duplicated Inbox folder on IMAP servers that do not use Inbox
folder with all capital letters (#9166)
* Fix PHP warnings (#9174)
* Fix UI issue when dealing with an invalid managesieve_default_headers
value (#9175)
* Fix bug where images attached to application/smil messages weren't
displayed (#8870)
* Fix PHP string replacement error in utils/error.php (#9185)
* Fix regression where smtp_user did not allow pre/post strings
before/after %u placeholder (#9162)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2024-257=1

Package List:

- openSUSE Backports SLE-15-SP5 (noarch):

roundcubemail-1.6.7-bp155.2.9.1

References:

https://www.suse.com/security/cve/CVE-2023-47272.html
https://bugzilla.suse.com/1216895