openSUSE-SU-2024:0328-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2024:0328-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2024:0328-1
Related
Published
2024-10-09T08:01:27Z
Modified
2024-10-09T08:01:27Z
Summary
Security update for roundcubemail
Details

This update for roundcubemail fixes the following issues:

Update to 1.6.8 This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to recently reported security vulnerabilities:

  • Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
  • Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]

  • Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

    CHANGELOG

  • Managesieve: Protect special scripts in managesievekolabmaster mode

  • Fix newmail_notifier notification focus in Chrome (#9467)
  • Fix fatal error when parsing some TNEF attachments (#9462)
  • Fix double scrollbar when composing a mail with many plain text lines (#7760)
  • Fix decoding mail parts with multiple base64-encoded text blocks (#9290)
  • Fix bug where some messages could get malformed in an import from a MBOX file (#9510)
  • Fix invalid line break characters in multi-line text in Sieve scripts (#9543)
  • Fix bug where 'with attachment' filter could fail on some fts engines (#9514)
  • Fix bug where an unhandled exception was caused by an invalid image attachment (#9475)
  • Fix bug where a long subject title could not be displayed in some cases (#9416)
  • Fix infinite loop when parsing malformed Sieve script (#9562)
  • Fix bug where imapconnoption's 'socket' was ignored (#9566)
  • Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
  • Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
  • Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]
References

Affected packages

SUSE:Package Hub 15 SP5 / roundcubemail

Package

Name
roundcubemail
Purl
pkg:rpm/suse/roundcubemail&distro=SUSE%20Package%20Hub%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.8-bp156.2.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "roundcubemail": "1.6.8-bp156.2.3.1"
        }
    ]
}

SUSE:Package Hub 15 SP6 / roundcubemail

Package

Name
roundcubemail
Purl
pkg:rpm/suse/roundcubemail&distro=SUSE%20Package%20Hub%2015%20SP6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.8-bp156.2.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "roundcubemail": "1.6.8-bp156.2.3.1"
        }
    ]
}

openSUSE:Leap 15.5 / roundcubemail

Package

Name
roundcubemail
Purl
pkg:rpm/opensuse/roundcubemail&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.8-bp156.2.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "roundcubemail": "1.6.8-bp156.2.3.1"
        }
    ]
}

openSUSE:Leap 15.6 / roundcubemail

Package

Name
roundcubemail
Purl
pkg:rpm/opensuse/roundcubemail&distro=openSUSE%20Leap%2015.6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.8-bp156.2.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "roundcubemail": "1.6.8-bp156.2.3.1"
        }
    ]
}