Bug 33229 - Roundcubemail: XSS Bugs
Summary: Roundcubemail: XSS Bugs
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://github.com/roundcube/roundcub...
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-05-21 14:54 CEST by Marc Krämer
Modified: 2024-05-26 01:39 CEST (History)
3 users (show)

See Also:
Source RPM: roundcubemail
CVE:
Status comment:


Attachments

Description Marc Krämer 2024-05-21 14:54:07 CEST
new release fixes some xss bugs
Comment 1 Marc Krämer 2024-05-22 20:48:55 CEST
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerabilities:

Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
Reported by Valentin T. and Lutz Wolf of CrowdStrike.

Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
Reported by Huy Nguyễn Phạm Nhật.

Fix command injection via crafted im_convert_path/im_identify_path on Windows.
Reported by Huy Nguyễn Phạm Nhật.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!


References:
https://github.com/roundcube/roundcubemail/releases/tag/1.6.7
========================

Updated packages in core/updates_testing:
========================
roundcubemail-1.6.7-1.mga9.noarch

SRPM:
roundcubemail-1.6.7-1.mga9.src.rpm

Assignee: mageia => qa-bugs

PC LX 2024-05-22 22:03:40 CEST

CC: (none) => mageia

katnatek 2024-05-24 04:50:48 CEST

Keywords: (none) => advisory

Comment 2 PC LX 2024-05-24 12:03:12 CEST
Installed and tested without issues.

Tested for about two days without issues.

Tested with:
- apache, PHP-FPM, mariadb and dovecot;
- PHP 8.3.6 from the backport repositories;
- large email accounts, with GiB of emails;
- with 2FA enabled using a 3rd party plugin: roundcubemail-plugin-twofactor_gauthenticator



System: Mageia 9, x86_64, Intel CPU.



$ uname -a
Linux marte 6.6.28-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 17:19:36 UTC 2024 x86_64 GNU/Linux
$ rpm -qa | grep roundcubemail
roundcubemail-1.6.7-1.mga9
$ php --version
PHP 8.3.6 (cli) (built: Apr 11 2024 13:17:33) (ZTS)
Copyright (c) The PHP Group
Zend Engine v4.3.6, Copyright (c) Zend Technologies
    with Zend OPcache v8.3.6, Copyright (c), by Zend Technologies
    with Xdebug v3.3.1, Copyright (c) 2002-2023, by Derick Rethans
Comment 3 katnatek 2024-05-25 20:19:16 CEST
I see previous test of PC LX was enough

Bug#29695 comment#6

Give OK

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2024-05-25 23:27:25 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2024-05-26 01:39:55 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0193.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.