Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2024:0328-1

Опубликовано: 09 окт. 2024
Источник: suse-cvrf

Описание

Security update for roundcubemail

This update for roundcubemail fixes the following issues:

Update to 1.6.8 This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to recently reported security vulnerabilities:

  • Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
  • Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
  • Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

CHANGELOG

  • Managesieve: Protect special scripts in managesieve_kolab_master mode
  • Fix newmail_notifier notification focus in Chrome (#9467)
  • Fix fatal error when parsing some TNEF attachments (#9462)
  • Fix double scrollbar when composing a mail with many plain text lines (#7760)
  • Fix decoding mail parts with multiple base64-encoded text blocks (#9290)
  • Fix bug where some messages could get malformed in an import from a MBOX file (#9510)
  • Fix invalid line break characters in multi-line text in Sieve scripts (#9543)
  • Fix bug where 'with attachment' filter could fail on some fts engines (#9514)
  • Fix bug where an unhandled exception was caused by an invalid image attachment (#9475)
  • Fix bug where a long subject title could not be displayed in some cases (#9416)
  • Fix infinite loop when parsing malformed Sieve script (#9562)
  • Fix bug where imap_conn_option's 'socket' was ignored (#9566)
  • Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
  • Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
  • Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

Список пакетов

SUSE Package Hub 15 SP5
roundcubemail-1.6.8-bp156.2.3.1
SUSE Package Hub 15 SP6
roundcubemail-1.6.8-bp156.2.3.1
openSUSE Leap 15.5
roundcubemail-1.6.8-bp156.2.3.1
openSUSE Leap 15.6
roundcubemail-1.6.8-bp156.2.3.1

Ссылки

Описание

A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.

Затронутые продукты
SUSE Package Hub 15 SP5:roundcubemail-1.6.8-bp156.2.3.1
SUSE Package Hub 15 SP6:roundcubemail-1.6.8-bp156.2.3.1
openSUSE Leap 15.5:roundcubemail-1.6.8-bp156.2.3.1
openSUSE Leap 15.6:roundcubemail-1.6.8-bp156.2.3.1
Ссылки

Описание

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.

Затронутые продукты
SUSE Package Hub 15 SP5:roundcubemail-1.6.8-bp156.2.3.1
SUSE Package Hub 15 SP6:roundcubemail-1.6.8-bp156.2.3.1
openSUSE Leap 15.5:roundcubemail-1.6.8-bp156.2.3.1
openSUSE Leap 15.6:roundcubemail-1.6.8-bp156.2.3.1
Ссылки

Описание

mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information.

Затронутые продукты
SUSE Package Hub 15 SP5:roundcubemail-1.6.8-bp156.2.3.1
SUSE Package Hub 15 SP6:roundcubemail-1.6.8-bp156.2.3.1
openSUSE Leap 15.5:roundcubemail-1.6.8-bp156.2.3.1
openSUSE Leap 15.6:roundcubemail-1.6.8-bp156.2.3.1
Ссылки