https://github.com/roundcube/roundcubemail/releases/tag/1.6.5
Updated roundcubemail packages fix security vulnerabilitiy: - Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download Some other errors have been fixed: - Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE - Fix duplicated Inbox folder on IMAP servers that do not use Inbox folder with all capital letters - Fix PHP warnings - Fix UI issue when dealing with an invalid managesieve_default_headers value - Fix bug where images attached to application/smil messages weren't displayed - Fix PHP string replacement error in utils/error.php - Fix regression where smtp_user did not allow pre/post strings before/after %u placeholder References: https://github.com/roundcube/roundcubemail/releases/tag/1.6.5 ======================== Updated packages in core/updates_testing: ======================== roundcubemail-1.6.5-1.mga10.noarch.rpm SRPM: roundcubemail-1.6.5-1.mga10.src.rpm
Assignee: mageia => qa-bugs
(In reply to Marc Krämer from comment #1) > ======================== > > Updated packages in core/updates_testing: > ======================== > roundcubemail-1.6.5-1.mga10.noarch.rpm > > SRPM: > roundcubemail-1.6.5-1.mga10.src.rpm s/mga10/mga9/ I think the advisory needs to be merged with the one from roundcubemail-1.6.4-1.mga9 in bug 32450, because that is still waiting for testers and the packages are no longer available in updates_testing. I didn't find a CVE for - Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download
CC: (none) => marja11
Blocks: (none) => 32450
@Marja - XSS: me neither - but it was mentioned on the release notes. Maybe it comes later. - mga10: bad mistake, but the package in mga9 is the same, hit the wrong built for copying.
Merged the advisories from this and the previous roundcubemail update request (bug 32450) and closing that old request: Updated roundcubemail package fixes security vulnerabilities: - Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download - Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages. (CVE-2023-5631) Some other errors have been fixed: - Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE - Fix duplicated Inbox folder on IMAP servers that do not use Inbox folder with all capital letters - Fix PHP warnings - Fix UI issue when dealing with an invalid managesieve_default_headers value - Fix bug where images attached to application/smil messages weren't displayed - Fix PHP string replacement error in utils/error.php - Fix regression where smtp_user did not allow pre/post strings before/after %u placeholder References: https://roundcube.net/news/2023/10/16/security-update-1.6.4-released https://github.com/roundcube/roundcubemail/releases/tag/1.6.5 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5631 ======================== Updated packages in core/updates_testing: ======================== roundcubemail-1.6.5-1.mga9.noarch.rpm SRPM: roundcubemail-1.6.5-1.mga9.src.rpm
CVE: (none) => CVE-2023-5631Blocks: 32450 => (none)
*** Bug 32450 has been marked as a duplicate of this bug. ***
Advisory from comment 4 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisory
Advisory updated with CVE-2023-47272
CVE: CVE-2023-5631 => CVE-2023-5631, CVE-2023-47272
Should we ask for testers on mailing lists or in the forums?
I'm not a member of QA but I've set up roundcubemail in the past. I installed the old roundcubemail-1.6.1-1.mga9.noarch and jumped through the hoops to get it mostly working (everything except actually sending mails as I had no smtp set up). After it was working I installed roundcubemail-1.6.5-1.mga9.noarch.rpm from updates_testing. Everything worked exactly the same under both versions with no regressions noted. Worked pretty smoothly. Acer Travelmate laptop x86_64 Mageia 9 with all tests done via localhost.
CC: (none) => mhrambo3501
Good enough for me. Giving this an OK, and validating. Thanks, Mike.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0332.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED