Source: roundcube
Version: 1.2.3+dfsg.1-1
Severity: important
Tags: security patch upstream fixed-upstream

Hi

1.2.4 roundcube release fixed a XSS issue in handling of a style tag
inside of an svg element.

AFAICT, this issue has not yet a CVE assigned, thus I have requested
one. 

Fixed by:

https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305
https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4

Upstream changelog:
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-124
https://github.com/roundcube/roundcubemail/releases/tag/1.1.8

Can you make sure the isolated fix (unless 1.2.4 get acked by the
release team), makes it into stretch and ask for an unblock for it?

Regards,
Salvatore

Reply via email to