Security update for roundcubemail SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:0257-1 Final 1 1 2024-08-21T11:35:59Z current 2024-08-21T11:35:59Z 2024-08-21T11:35:59Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for roundcubemail This update for roundcubemail fixes the following issues: Update to 1.6.7 This is a security update to the stable version 1.6 of Roundcube Webmail. It provides a fix to a recently reported XSS vulnerabilities: * Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes. Reported by Valentin T. and Lutz Wolf of CrowdStrike. * Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences. Reported by Huy Nguyễn Phạm Nhật. * Fix command injection via crafted im_convert_path/im_identify_path on Windows. Reported by Huy Nguyễn Phạm Nhật. CHANGELOG * Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313) * Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312) * Fix bug in collapsing/expanding folders with some special characters in names (#9324) * Fix PHP8 warnings (#9363, #9365, #9429) * Fix missing field labels in CSV import, for some locales (#9393) * Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes * Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences * Fix command injection via crafted im_convert_path/im_identify_path on Windows Update to 1.6.6: * Fix regression in handling LDAP search_fields configuration parameter (#9210) * Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3 * Fix page jump menu flickering on click (#9196) * Update to TinyMCE 5.10.9 security release (#9228) * Fix PHP8 warnings (#9235, #9238, #9242, #9306) * Fix saving other encryption settings besides enigma's (#9240) * Fix unneeded php command use in installto.sh and deluser.sh scripts (#9237) * Fix TinyMCE localization installation (#9266) * Fix bug where trailing non-ascii characters in email addresses could have been removed in recipient input (#9257) * Fix IMAP GETMETADATA command with options - RFC5464 Update to 1.6.5 (boo#1216895): * Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download CVE-2023-47272 Other changes: * Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171) * Fix duplicated Inbox folder on IMAP servers that do not use Inbox folder with all capital letters (#9166) * Fix PHP warnings (#9174) * Fix UI issue when dealing with an invalid managesieve_default_headers value (#9175) * Fix bug where images attached to application/smil messages weren't displayed (#8870) * Fix PHP string replacement error in utils/error.php (#9185) * Fix regression where smtp_user did not allow pre/post strings before/after %u placeholder (#9162) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2024-257 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JQ3GTO6YI3BLAIR7PQZYZ5LRFR7OKTWN/ E-Mail link for openSUSE-SU-2024:0257-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1216895 SUSE Bug 1216895 https://www.suse.com/security/cve/CVE-2023-47272/ SUSE CVE CVE-2023-47272 page SUSE Package Hub 15 SP5 openSUSE Leap 15.5 roundcubemail-1.6.7-bp155.2.9.1 roundcubemail-1.6.7-bp155.2.9.1 as a component of SUSE Package Hub 15 SP5 roundcubemail-1.6.7-bp155.2.9.1 as a component of openSUSE Leap 15.5 Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). CVE-2023-47272 SUSE Package Hub 15 SP5:roundcubemail-1.6.7-bp155.2.9.1 openSUSE Leap 15.5:roundcubemail-1.6.7-bp155.2.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JQ3GTO6YI3BLAIR7PQZYZ5LRFR7OKTWN/ https://www.suse.com/security/cve/CVE-2023-47272.html CVE-2023-47272 https://bugzilla.suse.com/1216895 SUSE Bug 1216895