Hi, On Thu, Nov 18, 2021 at 07:25:02PM +0100, Guilhem Moulin wrote: > Source: roundcube > Severity: important > Tags: security > Control: found -1 1.3.16+dfsg.1-1~deb10u1 > Control: found -1 1.4.11+dfsg.1-4 > Control: fixed -1 1.5.0+dfsg.1-1 > > In a recent post roundcube webmail upstream has announced the > following security fixes: > > * Fix XSS issue in handling attachment filename extension in mimetype > mismatch warning > * Fix possible SQL injection via some session variables > > sid/bookworm's 1.5.0+dfsg.1-2 is not affected. Upstream fixes for LTS > branches: > > 1.4.x > https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a > > https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1 > 1.3.x > https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7 > > https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa
CVEs are assigned as follows (by MITRE): CVE-2021-44025 for th XSS issue https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44025 CVE-2021-44026 for the SQL injection. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44026 Regards, Salvatore
