Debian Bug report logs -
#1054079
roundcube: CVE-2023-5631: cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>:
Bug#1054079; Package src:roundcube.
(Mon, 16 Oct 2023 18:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Guilhem Moulin <guilhem@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>.
(Mon, 16 Oct 2023 18:27:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: roundcube
Version: 1.6.3+dfsg-2
Severity: important
Tags: security upstream
Control: found -1 1.3.17+dfsg.1-1~deb10u3
Control: found -1 1.4.14+dfsg.1-1~deb11u1
Control: found -1 1.6.3+dfsg-1~deb12u1
Control: forwarded -1 https://github.com/roundcube/roundcubemail/issues/9168
In a recent post roundcube webmail upstream has announced the
following security fix:
* Fix cross-site scripting (XSS) vulnerability in handling of SVG in
HTML messages.
AFAICT no CVE ID has been assigned or requested yet, so I'll file a
request to that effect. Upstream fixes for stable and LTS branches:
1.6.x https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d
1.4.x https://github.com/roundcube/roundcubemail/commit/7b2df52ede57bab9e87e9c3bc00601eeca591a5e
https://github.com/roundcube/roundcubemail/commit/dc7b6850c68870570b438d79c0949a5031522127
1.3.x is no longer supported upstream but AFAICT affected nonetheless.
--
Guilhem.
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions roundcube/1.3.17+dfsg.1-1~deb10u3.
Request was from Guilhem Moulin <guilhem@debian.org>
to submit@bugs.debian.org.
(Mon, 16 Oct 2023 18:27:04 GMT) (full text, mbox, link).
Marked as found in versions roundcube/1.4.14+dfsg.1-1~deb11u1.
Request was from Guilhem Moulin <guilhem@debian.org>
to submit@bugs.debian.org.
(Mon, 16 Oct 2023 18:27:04 GMT) (full text, mbox, link).
Marked as found in versions roundcube/1.6.3+dfsg-1~deb12u1.
Request was from Guilhem Moulin <guilhem@debian.org>
to submit@bugs.debian.org.
(Mon, 16 Oct 2023 18:27:05 GMT) (full text, mbox, link).
Reply sent
to Guilhem Moulin <guilhem@debian.org>:
You have taken responsibility.
(Mon, 16 Oct 2023 19:09:05 GMT) (full text, mbox, link).
Notification sent
to Guilhem Moulin <guilhem@debian.org>:
Bug acknowledged by developer.
(Mon, 16 Oct 2023 19:09:05 GMT) (full text, mbox, link).
Message #18 received at 1054079-close@bugs.debian.org (full text, mbox, reply):
Source: roundcube
Source-Version: 1.6.4+dfsg-1
Done: Guilhem Moulin <guilhem@debian.org>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1054079@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Oct 2023 20:02:40 +0200
Source: roundcube
Architecture: source
Version: 1.6.4+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1053709 1054079
Changes:
roundcube (1.6.4+dfsg-1) unstable; urgency=high
.
* New upstream security and bugfix release:
+ Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML
messages. (Closes: #1054079)
+ Managesieve plugin: Fix javascript error when relational or spamtest
extension is not enabled.
+ Fix PHP8 warnings.
* Add DEP-8 test to check RCMAIL_VERSION against d/changelog.
* roundcube-core.postinst: Don't choke on non-existing symlink targets.
(Closes: #1053709)
Checksums-Sha1:
f510193b40bddf74f487677dbaa0fd1557c09fdc 3801 roundcube_1.6.4+dfsg-1.dsc
49a41f382aaf74673bd5dc649d3cbe8d67ace5ca 220736 roundcube_1.6.4+dfsg.orig-tinymce-langs.tar.xz
32758ee3f2b186460c2e8f1cd87aa8ee22c6bc44 1858152 roundcube_1.6.4+dfsg.orig-tinymce.tar.xz
6b100df31c0cb2d0e296386c871a59bde179846b 2784448 roundcube_1.6.4+dfsg.orig.tar.xz
510673f4a01b6edc45d3e7dae342ffea558400d5 105368 roundcube_1.6.4+dfsg-1.debian.tar.xz
c5d075dae6d4be1e5ad40d182ea3c28d8b9e5773 13600 roundcube_1.6.4+dfsg-1_amd64.buildinfo
Checksums-Sha256:
cf926617fd976cd63eec4ade40bc077cd0276a9f66dc614e4471e69390f47b2d 3801 roundcube_1.6.4+dfsg-1.dsc
3d7bf2bba2010c171319a76a266b671e01d5c7bff3e200fe9d966bf915932dbe 220736 roundcube_1.6.4+dfsg.orig-tinymce-langs.tar.xz
d347dcebc705fd65214c08cdb02367e39bef9e3eba41c0affe84bc42ccec8aa9 1858152 roundcube_1.6.4+dfsg.orig-tinymce.tar.xz
ea4e8fb414edd0961aa69d4ffba03d4981a4fad62580d88989f71489d11f3a1e 2784448 roundcube_1.6.4+dfsg.orig.tar.xz
27addc955d2b1d5760f54a91b83805b525a81eaf2f89a1afbaa14fcaf4aee2ea 105368 roundcube_1.6.4+dfsg-1.debian.tar.xz
e1880481d8452a2072271dbfb14ae930759fc720c8dd6a37a35bd2d153591717 13600 roundcube_1.6.4+dfsg-1_amd64.buildinfo
Files:
f51e5fdfeacc018f61324026a90a8023 3801 web optional roundcube_1.6.4+dfsg-1.dsc
b8e238bb13d3f2c9e3052bf77ab32dde 220736 web optional roundcube_1.6.4+dfsg.orig-tinymce-langs.tar.xz
e5a66bf48031beb980234a0d27d77fdf 1858152 web optional roundcube_1.6.4+dfsg.orig-tinymce.tar.xz
36dc8f64d4e01669457ca1ac400ffaa3 2784448 web optional roundcube_1.6.4+dfsg.orig.tar.xz
8acc4c83b9e2795ab7e7970b47b43ca0 105368 web optional roundcube_1.6.4+dfsg-1.debian.tar.xz
8cb9541c5feb8c0a00b3640f8f9b1d9d 13600 web optional roundcube_1.6.4+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmUtgW0ACgkQ05pJnDwh
pVL3ag//RclksWDRkF9dukva9YAKnc/Xnyt2QWx8BGOmuQj77103lafWIvNTgYKl
SR/eouLhAIpKjDdS0UVM5z3m2CvHGvOi2FKKSaJfgZtPTkeKnk0YHRIa7wRZUVJU
qTO6qNnFgJ+lsuINbJcHp1xCxZel11FBygaTYdy0LSnDK8p/5SiWzCTLrtvaQmrF
wZ8557cy2adCqTlNjuujtrX9GyUEwFkAmo/H9dYEq19SNpVlSfTTO2tsET9jxhJY
/VoeNLlkLphrf2cmO569iaCHbnBAuSMfZrBnWgKwGQXVjgdwAugdUNQoR49ty8II
k84nhQMQH2g7+geDqV2/uL3k7dDGhRZDyABuzgWK6PxMieS2gZ2pDDZdBT9yHXyb
KiWEixyEm6JvBTA3spcVInq5qDFwFmJThBjVXAhpclK2vIGhR8HpxXMr7NaqRKnq
OOrL5/gCF5madijCcV/2tzciPMQOugG6r+kPhbB7l+DplYiyacWStNMjLhtzCVWW
Uyp7yZELbYbLlLhrdYq8voxC8S/biA16730g+eJuDjoSZ7b0510+TLNPZli3x1fV
ZF0ZdvP8WBIV7KC6/SP76sdBpygLd82vdyed6rQPsVAJ/h7BICDOztScIIgzy6FZ
tBHFt1d9qHOGZHWRgTn9eVMJMNyYMki+MVwQnxqobw4a2Rd/wKM=
=c24g
-----END PGP SIGNATURE-----
Changed Bug title to 'roundcube: CVE-2023-5631: cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages' from 'roundcube: cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 18 Oct 2023 20:27:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Oct 19 17:54:27 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon