opensuse-su-2024:0257-1
Vulnerability from csaf_opensuse
Published
2024-08-21 11:35
Modified
2024-08-21 11:35
Summary
Security update for roundcubemail
Notes
Title of the patch
Security update for roundcubemail
Description of the patch
This update for roundcubemail fixes the following issues:
Update to 1.6.7
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerabilities:
* Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
Reported by Valentin T. and Lutz Wolf of CrowdStrike.
* Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
Reported by Huy Nguyễn Phạm Nhật.
* Fix command injection via crafted im_convert_path/im_identify_path on Windows.
Reported by Huy Nguyễn Phạm Nhật.
CHANGELOG
* Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
* Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)
* Fix bug in collapsing/expanding folders with some special characters in names (#9324)
* Fix PHP8 warnings (#9363, #9365, #9429)
* Fix missing field labels in CSV import, for some locales (#9393)
* Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
* Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
* Fix command injection via crafted im_convert_path/im_identify_path on Windows
Update to 1.6.6:
* Fix regression in handling LDAP search_fields configuration parameter (#9210)
* Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3
* Fix page jump menu flickering on click (#9196)
* Update to TinyMCE 5.10.9 security release (#9228)
* Fix PHP8 warnings (#9235, #9238, #9242, #9306)
* Fix saving other encryption settings besides enigma's (#9240)
* Fix unneeded php command use in installto.sh and deluser.sh scripts (#9237)
* Fix TinyMCE localization installation (#9266)
* Fix bug where trailing non-ascii characters in email addresses
could have been removed in recipient input (#9257)
* Fix IMAP GETMETADATA command with options - RFC5464
Update to 1.6.5 (boo#1216895):
* Fix cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment
preview/download CVE-2023-47272
Other changes:
* Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
* Fix duplicated Inbox folder on IMAP servers that do not use Inbox
folder with all capital letters (#9166)
* Fix PHP warnings (#9174)
* Fix UI issue when dealing with an invalid managesieve_default_headers
value (#9175)
* Fix bug where images attached to application/smil messages
weren't displayed (#8870)
* Fix PHP string replacement error in utils/error.php (#9185)
* Fix regression where smtp_user did not allow pre/post strings
before/after %u placeholder (#9162)
Patchnames
openSUSE-2024-257
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for roundcubemail",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for roundcubemail fixes the following issues:\n\nUpdate to 1.6.7\n\nThis is a security update to the stable version 1.6 of Roundcube Webmail.\nIt provides a fix to a recently reported XSS vulnerabilities:\n\n * Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.\n Reported by Valentin T. and Lutz Wolf of CrowdStrike.\n * Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.\n Reported by Huy Nguy\u1ec5n Ph\u1ea1m Nh\u1eadt.\n * Fix command injection via crafted im_convert_path/im_identify_path on Windows.\n Reported by Huy Nguy\u1ec5n Ph\u1ea1m Nh\u1eadt.\n\n CHANGELOG\n\n * Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)\n * Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)\n * Fix bug in collapsing/expanding folders with some special characters in names (#9324)\n * Fix PHP8 warnings (#9363, #9365, #9429)\n * Fix missing field labels in CSV import, for some locales (#9393)\n * Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes\n * Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences\n * Fix command injection via crafted im_convert_path/im_identify_path on Windows\n\nUpdate to 1.6.6:\n\n * Fix regression in handling LDAP search_fields configuration parameter (#9210)\n * Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3\n * Fix page jump menu flickering on click (#9196)\n * Update to TinyMCE 5.10.9 security release (#9228)\n * Fix PHP8 warnings (#9235, #9238, #9242, #9306)\n * Fix saving other encryption settings besides enigma\u0027s (#9240)\n * Fix unneeded php command use in installto.sh and deluser.sh scripts (#9237)\n * Fix TinyMCE localization installation (#9266)\n * Fix bug where trailing non-ascii characters in email addresses \n could have been removed in recipient input (#9257)\n * Fix IMAP GETMETADATA command with options - RFC5464\n\nUpdate to 1.6.5 (boo#1216895):\n\n * Fix cross-site scripting (XSS) vulnerability in setting \n Content-Type/Content-Disposition for attachment \n preview/download CVE-2023-47272\n\n Other changes:\n\n * Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)\n * Fix duplicated Inbox folder on IMAP servers that do not use Inbox \n folder with all capital letters (#9166)\n * Fix PHP warnings (#9174)\n * Fix UI issue when dealing with an invalid managesieve_default_headers \n value (#9175)\n * Fix bug where images attached to application/smil messages \n weren\u0027t displayed (#8870)\n * Fix PHP string replacement error in utils/error.php (#9185)\n * Fix regression where smtp_user did not allow pre/post strings \n before/after %u placeholder (#9162)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2024-257",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_0257-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:0257-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JQ3GTO6YI3BLAIR7PQZYZ5LRFR7OKTWN/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:0257-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JQ3GTO6YI3BLAIR7PQZYZ5LRFR7OKTWN/"
},
{
"category": "self",
"summary": "SUSE Bug 1216895",
"url": "https://bugzilla.suse.com/1216895"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-47272 page",
"url": "https://www.suse.com/security/cve/CVE-2023-47272/"
}
],
"title": "Security update for roundcubemail",
"tracking": {
"current_release_date": "2024-08-21T11:35:59Z",
"generator": {
"date": "2024-08-21T11:35:59Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:0257-1",
"initial_release_date": "2024-08-21T11:35:59Z",
"revision_history": [
{
"date": "2024-08-21T11:35:59Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "roundcubemail-1.6.7-bp155.2.9.1.noarch",
"product": {
"name": "roundcubemail-1.6.7-bp155.2.9.1.noarch",
"product_id": "roundcubemail-1.6.7-bp155.2.9.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP5",
"product": {
"name": "SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "roundcubemail-1.6.7-bp155.2.9.1.noarch as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:roundcubemail-1.6.7-bp155.2.9.1.noarch"
},
"product_reference": "roundcubemail-1.6.7-bp155.2.9.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "roundcubemail-1.6.7-bp155.2.9.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:roundcubemail-1.6.7-bp155.2.9.1.noarch"
},
"product_reference": "roundcubemail-1.6.7-bp155.2.9.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-47272",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-47272"
}
],
"notes": [
{
"category": "general",
"text": "Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP5:roundcubemail-1.6.7-bp155.2.9.1.noarch",
"openSUSE Leap 15.5:roundcubemail-1.6.7-bp155.2.9.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-47272",
"url": "https://www.suse.com/security/cve/CVE-2023-47272"
},
{
"category": "external",
"summary": "SUSE Bug 1216895 for CVE-2023-47272",
"url": "https://bugzilla.suse.com/1216895"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP5:roundcubemail-1.6.7-bp155.2.9.1.noarch",
"openSUSE Leap 15.5:roundcubemail-1.6.7-bp155.2.9.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP5:roundcubemail-1.6.7-bp155.2.9.1.noarch",
"openSUSE Leap 15.5:roundcubemail-1.6.7-bp155.2.9.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-08-21T11:35:59Z",
"details": "moderate"
}
],
"title": "CVE-2023-47272"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…