Bug 33460 - roundcubemail: xss vulnerabilites
Summary: roundcubemail: xss vulnerabilites
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-08-08 14:25 CEST by Marc Krämer
Modified: 2024-08-15 19:50 CEST (History)
3 users (show)

See Also:
Source RPM: roundcubemail
CVE: CVE-2024-42010, CVE-2024-42009, CVE-2024-42008
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2024-08-08 14:25:47 CEST 
https://github.com/roundcube/roundcubemail/releases/

Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]
Marc Krämer 2024-08-08 14:26:16 CEST

CVE: (none) => CVE-2024-42010, CVE-2024-42009, CVE-2024-42008

Comment 1 Marc Krämer 2024-08-08 14:31:02 CEST 
Updated roundcubemail fixes security vulnerabilities:

Some XSS vulnerabilities in HTML, SVG and CSS have been found and corrected.


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42010 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42008
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42009
https://github.com/roundcube/roundcubemail/releases/
========================

Updated packages in core/updates_testing:
roundcubemail-1.6.8-1.mga9.noarch.rpm
SRPM:
roundcubemail-1.6.8-1.mga9.src.rpm

Assignee: mageia => qa-bugs

Comment 2 PC LX 2024-08-08 20:25:02 CEST 
Installed and tested without issues.

Tested with:
- Apache, PHP-FPM, MariaDB and Dovecot;
- PHP 8.3.9 from the backport repositories;
- Large email accounts, with GiB of emails;
- 2FA enabled using a 3rd party plugin: roundcubemail-plugin-twofactor_gauthenticator

No issues noticed. Will report if anything comes up. For now it all seems to work OK.



System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz.



$ uname -a
Linux marte 6.6.43-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sat Jul 27 17:18:39 UTC 2024 x86_64 GNU/Linux
$ rpm -qa | grep roundcubemail
roundcubemail-1.6.8-1.mga9
$ php --version
PHP 8.3.9 (cli) (built: Jul  3 2024 09:22:48) (ZTS)
Copyright (c) The PHP Group
Zend Engine v4.3.9, Copyright (c) Zend Technologies
    with Zend OPcache v8.3.9, Copyright (c), by Zend Technologies
    with Xdebug v3.3.1, Copyright (c) 2002-2023, by Derick Rethans

CC: (none) => mageia

katnatek 2024-08-09 03:40:19 CEST

Keywords: (none) => advisory

Comment 3 Thomas Andrews 2024-08-13 02:29:14 CEST 
With no reports of problems, I'm giving this an OK and validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA9-64-OK

Comment 4 Mageia Robot 2024-08-15 19:50:34 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0279.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.