Security update for roundcubemail
SUSE Patch
security@suse.de
SUSE Security Team
openSUSE-SU-2016:0213-1
Final
1
1
2016-01-24T10:58:02Z
current
2016-01-24T10:58:02Z
2016-01-24T10:58:02Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for roundcubemail
This update to roundcubemail 1.1.4 fixes the following issues:
- CVE-2015-8770: Path traversal vulnerability allowed code execution to remote authenticated users if they were also upload files to the same server through some other method (boo#962067)
This update also contains all upstream fixes in 1.1.4.
The package was updated to use generic PHP requirements for use with other prefixes than 'php5-'
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00029.html
E-Mail link for openSUSE-SU-2016:0213-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
openSUSE Leap 42.1
roundcubemail-1.1.4-6.1
roundcubemail-1.1.4-6.1 as a component of openSUSE Leap 42.1
Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php.
CVE-2015-8770
openSUSE Leap 42.1:roundcubemail-1.1.4-6.1
moderate
Please Install the update.
https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00029.html
https://www.suse.com/security/cve/CVE-2015-8770.html
CVE-2015-8770
https://bugzilla.suse.com/962067
SUSE Bug 962067