https://github.com/roundcube/roundcubemail/releases/ Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009] Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008] Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]
CVE: (none) => CVE-2024-42010, CVE-2024-42009, CVE-2024-42008
Updated roundcubemail fixes security vulnerabilities: Some XSS vulnerabilities in HTML, SVG and CSS have been found and corrected. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42010 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42008 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42009 https://github.com/roundcube/roundcubemail/releases/ ======================== Updated packages in core/updates_testing: roundcubemail-1.6.8-1.mga9.noarch.rpm SRPM: roundcubemail-1.6.8-1.mga9.src.rpm
Assignee: mageia => qa-bugs
Installed and tested without issues. Tested with: - Apache, PHP-FPM, MariaDB and Dovecot; - PHP 8.3.9 from the backport repositories; - Large email accounts, with GiB of emails; - 2FA enabled using a 3rd party plugin: roundcubemail-plugin-twofactor_gauthenticator No issues noticed. Will report if anything comes up. For now it all seems to work OK. System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz. $ uname -a Linux marte 6.6.43-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sat Jul 27 17:18:39 UTC 2024 x86_64 GNU/Linux $ rpm -qa | grep roundcubemail roundcubemail-1.6.8-1.mga9 $ php --version PHP 8.3.9 (cli) (built: Jul 3 2024 09:22:48) (ZTS) Copyright (c) The PHP Group Zend Engine v4.3.9, Copyright (c) Zend Technologies with Zend OPcache v8.3.9, Copyright (c), by Zend Technologies with Xdebug v3.3.1, Copyright (c) 2002-2023, by Derick Rethans
CC: (none) => mageia
Keywords: (none) => advisory
With no reports of problems, I'm giving this an OK and validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA9-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0279.html
Status: NEW => RESOLVEDResolution: (none) => FIXED