openSUSE-SU-2024:0257-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2024:0257-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/openSUSE-SU-2024:0257-1
Related
Published
2024-08-21T11:35:59Z
Modified
2024-08-21T11:35:59Z
Summary
Security update for roundcubemail
Details

This update for roundcubemail fixes the following issues:

Update to 1.6.7

This is a security update to the stable version 1.6 of Roundcube Webmail. It provides a fix to a recently reported XSS vulnerabilities:

  • Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes. Reported by Valentin T. and Lutz Wolf of CrowdStrike.
  • Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences. Reported by Huy Nguyễn Phạm Nhật.

  • Fix command injection via crafted imconvertpath/imidentifypath on Windows. Reported by Huy Nguyễn Phạm Nhật.

    CHANGELOG

  • Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)

  • Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)
  • Fix bug in collapsing/expanding folders with some special characters in names (#9324)
  • Fix PHP8 warnings (#9363, #9365, #9429)
  • Fix missing field labels in CSV import, for some locales (#9393)
  • Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
  • Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
  • Fix command injection via crafted imconvertpath/imidentifypath on Windows

Update to 1.6.6:

  • Fix regression in handling LDAP search_fields configuration parameter (#9210)
  • Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3
  • Fix page jump menu flickering on click (#9196)
  • Update to TinyMCE 5.10.9 security release (#9228)
  • Fix PHP8 warnings (#9235, #9238, #9242, #9306)
  • Fix saving other encryption settings besides enigma's (#9240)
  • Fix unneeded php command use in installto.sh and deluser.sh scripts (#9237)
  • Fix TinyMCE localization installation (#9266)
  • Fix bug where trailing non-ascii characters in email addresses could have been removed in recipient input (#9257)
  • Fix IMAP GETMETADATA command with options - RFC5464

Update to 1.6.5 (boo#1216895):

  • Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download CVE-2023-47272

    Other changes:

  • Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)

  • Fix duplicated Inbox folder on IMAP servers that do not use Inbox folder with all capital letters (#9166)
  • Fix PHP warnings (#9174)
  • Fix UI issue when dealing with an invalid managesievedefaultheaders value (#9175)
  • Fix bug where images attached to application/smil messages weren't displayed (#8870)
  • Fix PHP string replacement error in utils/error.php (#9185)
  • Fix regression where smtp_user did not allow pre/post strings before/after %u placeholder (#9162)
References

Affected packages

SUSE:Package Hub 15 SP5 / roundcubemail

Package

Name
roundcubemail
Purl
pkg:rpm/suse/roundcubemail&distro=SUSE%20Package%20Hub%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.7-bp155.2.9.1

Ecosystem specific 

{
    "binaries": [
        {
            "roundcubemail": "1.6.7-bp155.2.9.1"
        }
    ]
}

openSUSE:Leap 15.5 / roundcubemail

Package

Name
roundcubemail
Purl
pkg:rpm/opensuse/roundcubemail&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.7-bp155.2.9.1

Ecosystem specific 

{
    "binaries": [
        {
            "roundcubemail": "1.6.7-bp155.2.9.1"
        }
    ]
}