openSUSE-SU-2024:0257-1

Описание

This update for roundcubemail fixes the following issues:

Update to 1.6.7

This is a security update to the stable version 1.6 of Roundcube Webmail. It provides a fix to a recently reported XSS vulnerabilities:

• Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes. Reported by Valentin T. and Lutz Wolf of CrowdStrike.
• Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences. Reported by Huy Nguyễn Phạm Nhật.
• Fix command injection via crafted im_convert_path/im_identify_path on Windows. Reported by Huy Nguyễn Phạm Nhật.

CHANGELOG

• Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
• Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)
• Fix bug in collapsing/expanding folders with some special characters in names (#9324)
• Fix PHP8 warnings (#9363, #9365, #9429)
• Fix missing field labels in CSV import, for some locales (#9393)
• Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
• Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
• Fix command injection via crafted im_convert_path/im_identify_path on Windows

Update to 1.6.6:

• Fix regression in handling LDAP search_fields configuration parameter (#9210)
• Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3
• Fix page jump menu flickering on click (#9196)
• Update to TinyMCE 5.10.9 security release (#9228)
• Fix PHP8 warnings (#9235, #9238, #9242, #9306)
• Fix saving other encryption settings besides enigma's (#9240)
• Fix unneeded php command use in installto.sh and deluser.sh scripts (#9237)
• Fix TinyMCE localization installation (#9266)
• Fix bug where trailing non-ascii characters in email addresses could have been removed in recipient input (#9257)
• Fix IMAP GETMETADATA command with options - RFC5464

Update to 1.6.5 (boo#1216895):

• Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download CVE-2023-47272

Other changes:

• Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
• Fix duplicated Inbox folder on IMAP servers that do not use Inbox folder with all capital letters (#9166)
• Fix PHP warnings (#9174)
• Fix UI issue when dealing with an invalid managesieve_default_headers value (#9175)
• Fix bug where images attached to application/smil messages weren't displayed (#8870)
• Fix PHP string replacement error in utils/error.php (#9185)
• Fix regression where smtp_user did not allow pre/post strings before/after %u placeholder (#9162)