openSUSE-SU-2016:2109-1

Описание

This update for roundcubemail fixes the following vulnerabilities:

• CVE-2015-8864: XSS issue in SVG images handling (boo#976988)
• CVE-2015-2181: issue in DBMail driver of password plugin
• CVE-2016-4069: Cross-site request forgery in download URLs (boo#976988)

Roundcubemail was also updated to 1.1.5, fixing the following bugs:

• Plugin API: Add html2text hook
• Plugin API: Added addressbook_export hook
• Fix missing emoticons on html-to-text conversion
• Fix random 'access to this resource is secured against CSRF' message at logout
• Fix missing language name in 'Add to Dictionary' request in HTML mode
• Enable use of TLSv1.1 and TLSv1.2 for IMAP
• Fix bug where Archive/Junk buttons were not active after page jump with select=all mode
• Fix bug in long recipients list parsing for cases where recipient name contained @-char
• Fix additional_message_headers plugin compatibility with Mail_Mime >= 1.9
• Hide DSN option in Preferences when smtp_server is not used
• newmail_notifier: Refactor desktop notifications
• Fix so contactlist_fields option can be set via config file
• Fix so SPECIAL-USE assignments are forced only until user sets special folders
• Fix performance in reverting order of THREAD result
• Fix converting mail addresses with @www. into mailto links