Debian Bug report logs -
#1000156
roundcube: XSS vulnerability in handling attachment filename extension in MIME type mismatch warnings
Reported by: Guilhem Moulin <guilhem@debian.org>
Date: Thu, 18 Nov 2021 18:27:01 UTC
Severity: important
Tags: security
Found in versions roundcube/1.4.11+dfsg.1-4, roundcube/1.3.16+dfsg.1-1~deb10u1
Fixed in version roundcube/1.5.0+dfsg.1-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>:
Bug#1000156; Package src:roundcube.
(Thu, 18 Nov 2021 18:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Guilhem Moulin <guilhem@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>.
(Thu, 18 Nov 2021 18:27:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: roundcube
Severity: important
Tags: security
Control: found -1 1.3.16+dfsg.1-1~deb10u1
Control: found -1 1.4.11+dfsg.1-4
Control: fixed -1 1.5.0+dfsg.1-1
In a recent post roundcube webmail upstream has announced the
following security fixes:
* Fix XSS issue in handling attachment filename extension in mimetype
mismatch warning
* Fix possible SQL injection via some session variables
sid/bookworm's 1.5.0+dfsg.1-2 is not affected. Upstream fixes for LTS
branches:
1.4.x https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a
https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1
1.3.x https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7
https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa
--
Guilhem.
[0] https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-released
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions roundcube/1.3.16+dfsg.1-1~deb10u1.
Request was from Guilhem Moulin <guilhem@debian.org>
to submit@bugs.debian.org.
(Thu, 18 Nov 2021 18:27:03 GMT) (full text, mbox, link).
Marked as found in versions roundcube/1.4.11+dfsg.1-4.
Request was from Guilhem Moulin <guilhem@debian.org>
to submit@bugs.debian.org.
(Thu, 18 Nov 2021 18:27:04 GMT) (full text, mbox, link).
Marked as fixed in versions roundcube/1.5.0+dfsg.1-1.
Request was from Guilhem Moulin <guilhem@debian.org>
to submit@bugs.debian.org.
(Thu, 18 Nov 2021 18:27:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>:
Bug#1000156; Package src:roundcube.
(Fri, 19 Nov 2021 07:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>.
(Fri, 19 Nov 2021 07:33:03 GMT) (full text, mbox, link).
Message #16 received at 1000156@bugs.debian.org (full text, mbox, reply):
Hi,
On Thu, Nov 18, 2021 at 07:25:02PM +0100, Guilhem Moulin wrote:
> Source: roundcube
> Severity: important
> Tags: security
> Control: found -1 1.3.16+dfsg.1-1~deb10u1
> Control: found -1 1.4.11+dfsg.1-4
> Control: fixed -1 1.5.0+dfsg.1-1
>
> In a recent post roundcube webmail upstream has announced the
> following security fixes:
>
> * Fix XSS issue in handling attachment filename extension in mimetype
> mismatch warning
> * Fix possible SQL injection via some session variables
>
> sid/bookworm's 1.5.0+dfsg.1-2 is not affected. Upstream fixes for LTS
> branches:
>
> 1.4.x https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a
> https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1
> 1.3.x https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7
> https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa
CVEs are assigned as follows (by MITRE):
CVE-2021-44025 for th XSS issue
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44025
CVE-2021-44026 for the SQL injection.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44026
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Nov 19 14:38:31 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon