33229 – Roundcubemail: XSS Bugs

Bug 33229 - Roundcubemail: XSS Bugs

Summary: Roundcubemail: XSS Bugs

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	https://github.com/roundcube/roundcub...
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-05-21 14:54 CEST by Marc Krämer
Modified:	2024-05-26 01:39 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	roundcubemail
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2024-05-21 14:54:07 CEST

new release fixes some xss bugs

Comment 1 Marc Krämer 2024-05-22 20:48:55 CEST

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerabilities:

Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
Reported by Valentin T. and Lutz Wolf of CrowdStrike.

Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
Reported by Huy Nguyễn Phạm Nhật.

Fix command injection via crafted im_convert_path/im_identify_path on Windows.
Reported by Huy Nguyễn Phạm Nhật.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!


References:
https://github.com/roundcube/roundcubemail/releases/tag/1.6.7
========================

Updated packages in core/updates_testing:
========================
roundcubemail-1.6.7-1.mga9.noarch

SRPM:
roundcubemail-1.6.7-1.mga9.src.rpm

Assignee: mageia => qa-bugs

PC LX 2024-05-22 22:03:40 CEST

CC: (none) => mageia

katnatek 2024-05-24 04:50:48 CEST

Keywords: (none) => advisory

Comment 2 PC LX 2024-05-24 12:03:12 CEST

Installed and tested without issues.

Tested for about two days without issues.

Tested with:
- apache, PHP-FPM, mariadb and dovecot;
- PHP 8.3.6 from the backport repositories;
- large email accounts, with GiB of emails;
- with 2FA enabled using a 3rd party plugin: roundcubemail-plugin-twofactor_gauthenticator



System: Mageia 9, x86_64, Intel CPU.



$ uname -a
Linux marte 6.6.28-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 17:19:36 UTC 2024 x86_64 GNU/Linux
$ rpm -qa | grep roundcubemail
roundcubemail-1.6.7-1.mga9
$ php --version
PHP 8.3.6 (cli) (built: Apr 11 2024 13:17:33) (ZTS)
Copyright (c) The PHP Group
Zend Engine v4.3.6, Copyright (c) Zend Technologies
    with Zend OPcache v8.3.6, Copyright (c), by Zend Technologies
    with Xdebug v3.3.1, Copyright (c) 2002-2023, by Derick Rethans

Comment 3 katnatek 2024-05-25 20:19:16 CEST

I see previous test of PC LX was enough

Bug#29695 comment#6

Give OK

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2024-05-25 23:27:25 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2024-05-26 01:39:55 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0193.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.