Security update for roundcubemail SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:0328-1 Final 1 1 2024-10-09T08:01:27Z current 2024-10-09T08:01:27Z 2024-10-09T08:01:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for roundcubemail This update for roundcubemail fixes the following issues: Update to 1.6.8 This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to recently reported security vulnerabilities: * Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009] * Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008] * Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010] CHANGELOG * Managesieve: Protect special scripts in managesieve_kolab_master mode * Fix newmail_notifier notification focus in Chrome (#9467) * Fix fatal error when parsing some TNEF attachments (#9462) * Fix double scrollbar when composing a mail with many plain text lines (#7760) * Fix decoding mail parts with multiple base64-encoded text blocks (#9290) * Fix bug where some messages could get malformed in an import from a MBOX file (#9510) * Fix invalid line break characters in multi-line text in Sieve scripts (#9543) * Fix bug where 'with attachment' filter could fail on some fts engines (#9514) * Fix bug where an unhandled exception was caused by an invalid image attachment (#9475) * Fix bug where a long subject title could not be displayed in some cases (#9416) * Fix infinite loop when parsing malformed Sieve script (#9562) * Fix bug where imap_conn_option's 'socket' was ignored (#9566) * Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009] * Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008] * Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010] The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2024-328 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q5GOCYS6W7WGAIH6NILISNVXQC4O7Z53/ E-Mail link for openSUSE-SU-2024:0328-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1228900 SUSE Bug 1228900 https://bugzilla.suse.com/1228901 SUSE Bug 1228901 https://www.suse.com/security/cve/CVE-2024-42008/ SUSE CVE CVE-2024-42008 page https://www.suse.com/security/cve/CVE-2024-42009/ SUSE CVE CVE-2024-42009 page https://www.suse.com/security/cve/CVE-2024-42010/ SUSE CVE CVE-2024-42010 page SUSE Package Hub 15 SP5 SUSE Package Hub 15 SP6 openSUSE Leap 15.5 openSUSE Leap 15.6 roundcubemail-1.6.8-bp156.2.3.1 roundcubemail-1.6.8-bp156.2.3.1 as a component of SUSE Package Hub 15 SP5 roundcubemail-1.6.8-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 roundcubemail-1.6.8-bp156.2.3.1 as a component of openSUSE Leap 15.5 roundcubemail-1.6.8-bp156.2.3.1 as a component of openSUSE Leap 15.6 A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. CVE-2024-42008 SUSE Package Hub 15 SP5:roundcubemail-1.6.8-bp156.2.3.1 SUSE Package Hub 15 SP6:roundcubemail-1.6.8-bp156.2.3.1 openSUSE Leap 15.5:roundcubemail-1.6.8-bp156.2.3.1 openSUSE Leap 15.6:roundcubemail-1.6.8-bp156.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q5GOCYS6W7WGAIH6NILISNVXQC4O7Z53/ https://www.suse.com/security/cve/CVE-2024-42008.html CVE-2024-42008 A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. CVE-2024-42009 SUSE Package Hub 15 SP5:roundcubemail-1.6.8-bp156.2.3.1 SUSE Package Hub 15 SP6:roundcubemail-1.6.8-bp156.2.3.1 openSUSE Leap 15.5:roundcubemail-1.6.8-bp156.2.3.1 openSUSE Leap 15.6:roundcubemail-1.6.8-bp156.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q5GOCYS6W7WGAIH6NILISNVXQC4O7Z53/ https://www.suse.com/security/cve/CVE-2024-42009.html CVE-2024-42009 https://bugzilla.suse.com/1228900 SUSE Bug 1228900 mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information. CVE-2024-42010 SUSE Package Hub 15 SP5:roundcubemail-1.6.8-bp156.2.3.1 SUSE Package Hub 15 SP6:roundcubemail-1.6.8-bp156.2.3.1 openSUSE Leap 15.5:roundcubemail-1.6.8-bp156.2.3.1 openSUSE Leap 15.6:roundcubemail-1.6.8-bp156.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q5GOCYS6W7WGAIH6NILISNVXQC4O7Z53/ https://www.suse.com/security/cve/CVE-2024-42010.html CVE-2024-42010 https://bugzilla.suse.com/1228901 SUSE Bug 1228901