Source: roundcube Version: 1.2.3+dfsg.1-1 Severity: important Tags: security patch upstream fixed-upstream
Hi 1.2.4 roundcube release fixed a XSS issue in handling of a style tag inside of an svg element. AFAICT, this issue has not yet a CVE assigned, thus I have requested one. Fixed by: https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305 https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4 Upstream changelog: https://github.com/roundcube/roundcubemail/wiki/Changelog#release-124 https://github.com/roundcube/roundcubemail/releases/tag/1.1.8 Can you make sure the isolated fix (unless 1.2.4 get acked by the release team), makes it into stretch and ask for an unblock for it? Regards, Salvatore