new release fixes some xss bugs
This is a security update to the stable version 1.6 of Roundcube Webmail. It provides a fix to a recently reported XSS vulnerabilities: Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes. Reported by Valentin T. and Lutz Wolf of CrowdStrike. Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences. Reported by Huy Nguyễn Phạm Nhật. Fix command injection via crafted im_convert_path/im_identify_path on Windows. Reported by Huy Nguyễn Phạm Nhật. This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating! References: https://github.com/roundcube/roundcubemail/releases/tag/1.6.7 ======================== Updated packages in core/updates_testing: ======================== roundcubemail-1.6.7-1.mga9.noarch SRPM: roundcubemail-1.6.7-1.mga9.src.rpm
Assignee: mageia => qa-bugs
CC: (none) => mageia
Keywords: (none) => advisory
Installed and tested without issues. Tested for about two days without issues. Tested with: - apache, PHP-FPM, mariadb and dovecot; - PHP 8.3.6 from the backport repositories; - large email accounts, with GiB of emails; - with 2FA enabled using a 3rd party plugin: roundcubemail-plugin-twofactor_gauthenticator System: Mageia 9, x86_64, Intel CPU. $ uname -a Linux marte 6.6.28-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 17:19:36 UTC 2024 x86_64 GNU/Linux $ rpm -qa | grep roundcubemail roundcubemail-1.6.7-1.mga9 $ php --version PHP 8.3.6 (cli) (built: Apr 11 2024 13:17:33) (ZTS) Copyright (c) The PHP Group Zend Engine v4.3.6, Copyright (c) Zend Technologies with Zend OPcache v8.3.6, Copyright (c), by Zend Technologies with Xdebug v3.3.1, Copyright (c) 2002-2023, by Derick Rethans
I see previous test of PC LX was enough Bug#29695 comment#6 Give OK
Whiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0193.html
Status: NEW => RESOLVEDResolution: (none) => FIXED