Source: roundcube Version: 1.6.6+dfsg-2 Severity: important Control: found -1 1.6.5+dfsg-1~deb12u1 Control: found -1 1.4.15+dfsg.1-1~deb11u2 Control: found -1 1.3.17+dfsg.1-1~deb10u5 Tags: security upstream
Roundcube webmail upstream has recently released 1.6.7 [0] which fixes
the following vulnerabilities:
* Fix command injection via crafted im_convert_path/im_identify_path
on Windows.
https://github.com/roundcube/roundcubemail/commit/7da322371fd00a54670a5d6679faae0fcbd3f229
* Fix cross-site scripting (XSS) vulnerability in handling list
columns from user preferences.
https://github.com/roundcube/roundcubemail/commit/9ca8aa6680c579132e0d1fa59447df8d524ec91c
* Fix cross-site scripting (XSS) vulnerability in handling SVG animate
attributes.
https://github.com/roundcube/roundcubemail/commit/ba252dc5e2946506cb8d0b50b2b7bf95ab51876f
AFAICT no CVE-ID has been published for these issues, I'll request them.
--
Guilhem.
[0] https://roundcube.net/news/2024/05/19/security-updates-1.6.7-and-1.5.7
signature.asc
Description: PGP signature
