Debian Bug report logs -
#1055421
roundcube: CVE-2023-47272: cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download
Reported by: Guilhem Moulin <guilhem@debian.org>
Date: Sun, 5 Nov 2023 17:33:02 UTC
Severity: important
Tags: security, upstream
Found in versions roundcube/1.6.4+dfsg-1, roundcube/1.6.4+dfsg-1~deb12u1
Fixed in version roundcube/1.6.5+dfsg-1
Done: Guilhem Moulin <guilhem@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>:
Bug#1055421; Package src:roundcube.
(Sun, 05 Nov 2023 17:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Guilhem Moulin <guilhem@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>.
(Sun, 05 Nov 2023 17:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: roundcube
Version: 1.6.4+dfsg-1
Severity: important
Control: found -1 1.6.4+dfsg-1~deb12u1
Tags: security upstream
Roundcube webmail upstream has recently released 1.6.5 which fixes the
following vulnerability:
* Fix cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment preview/download.
https://github.com/roundcube/roundcubemail/commit/81ac3c342a4f288deb275590895b52ec3785cf8a
AFAICT no CVE-ID has been published for this issue.
--
Guilhem.
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions roundcube/1.6.4+dfsg-1~deb12u1.
Request was from Guilhem Moulin <guilhem@debian.org>
to submit@bugs.debian.org.
(Sun, 05 Nov 2023 17:33:04 GMT) (full text, mbox, link).
Reply sent
to Guilhem Moulin <guilhem@debian.org>:
You have taken responsibility.
(Sun, 05 Nov 2023 18:24:06 GMT) (full text, mbox, link).
Notification sent
to Guilhem Moulin <guilhem@debian.org>:
Bug acknowledged by developer.
(Sun, 05 Nov 2023 18:24:06 GMT) (full text, mbox, link).
Message #12 received at 1055421-close@bugs.debian.org (full text, mbox, reply):
Source: roundcube
Source-Version: 1.6.5+dfsg-1
Done: Guilhem Moulin <guilhem@debian.org>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1055421@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 05 Nov 2023 18:15:48 +0100
Source: roundcube
Architecture: source
Version: 1.6.5+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1055421
Changes:
roundcube (1.6.5+dfsg-1) unstable; urgency=high
.
* New upstream security and bugfix release:
+ Fix cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment preview/download.
(Closes: #1055421)
+ Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE.
+ Fix UI issue when dealing with an invalid managesieve_default_headers
value.
+ Fix bug where images attached to application/smil messages weren't
displayed.
+ Fix PHP8 warnings.
+ Fix regression where ‘smtp_user’ did not allow pre/post strings
before/after ‘%u’ placeholder.
* d/control: Drop 10 year old Breaks+Replaces constraints.
* d/rules: Update to reflect upstream Makefile.
* roundcube-plugins: Remove obsolete maintscript.
* roundcube-core: Suggests some potentially useful roundcube-plugin-*.
* Refresh d/patches.
Checksums-Sha1:
33896387d73279f4225c15a585ca9532c41f0481 3801 roundcube_1.6.5+dfsg-1.dsc
b49ae6e3e83dccf3d72cef09a2131e9af1b524fc 220732 roundcube_1.6.5+dfsg.orig-tinymce-langs.tar.xz
4d2c7d01645d775d9915b8eb3ac04f29bc5354c9 1858372 roundcube_1.6.5+dfsg.orig-tinymce.tar.xz
aafc7b4208d011a285f33562027aabde61ee2fe0 2785184 roundcube_1.6.5+dfsg.orig.tar.xz
ae701aeecbe69072f47302ad2e1ec8e5a49ad6ce 105600 roundcube_1.6.5+dfsg-1.debian.tar.xz
22a1538b77c7a4eef472aa77c84722df9528baa5 13634 roundcube_1.6.5+dfsg-1_amd64.buildinfo
Checksums-Sha256:
887759b2ac63f57d9b6932282a244f3a78ff4ae5880f4699c13d0c1c5aa83141 3801 roundcube_1.6.5+dfsg-1.dsc
ecb72327cf9e09e71cbc61631b9e3f6b3b5ed91efc83758cd6c05eeb7dad985a 220732 roundcube_1.6.5+dfsg.orig-tinymce-langs.tar.xz
bca171899ccf6d07ccfd21843d251199ede59aadd6b84efe9be3af7c3e473aa4 1858372 roundcube_1.6.5+dfsg.orig-tinymce.tar.xz
9ed67e12705c656c7006f092ecdb9cfc3cd55946273bc0c0743e5c56921bc888 2785184 roundcube_1.6.5+dfsg.orig.tar.xz
28ccc9458d7c12f685e2f8b024f13b8194eadd4bae32b8de72156bc73087c7a1 105600 roundcube_1.6.5+dfsg-1.debian.tar.xz
86e4d6b8c2a78cfd2a512a5b08309cbe44ae50a13d0e3e4a5f8318247f6abd14 13634 roundcube_1.6.5+dfsg-1_amd64.buildinfo
Files:
e52799180e57d27af2ac3bcc16ccd4db 3801 web optional roundcube_1.6.5+dfsg-1.dsc
5edad424105c300bf5ce7ac7c49dc6d9 220732 web optional roundcube_1.6.5+dfsg.orig-tinymce-langs.tar.xz
dc3d429e8b8d0c96e724816dd1affa3f 1858372 web optional roundcube_1.6.5+dfsg.orig-tinymce.tar.xz
cd3be9b30e9f7639292da316ccddd730 2785184 web optional roundcube_1.6.5+dfsg.orig.tar.xz
811f5344bef7ff6c41bc4fc567d26517 105600 web optional roundcube_1.6.5+dfsg-1.debian.tar.xz
4af91b353e817c7f7856c92177d2c4b5 13634 web optional roundcube_1.6.5+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmVH0rgACgkQ05pJnDwh
pVKq3w/+MKKmNle3dt2B+i090mA5rTEW4O6XtDmi6kIcOdV8Bta2SLkYjD9Q/ivh
tde1FlQGGQEZi70EEka+MOagOUVYe6YWNtafz8K8RlNIaNvmBxXJAx9B2pF0/RD9
Y33BgwtWxFDIpmZH6zTAdPsT8+5BCgr+DYlSP9Y405sym3ReDNiYPOyacYyr2uUJ
Hva9BGsKLrR4WutAyZQ4nSG5j0F2wOKN27aAO1Wmswas598C4sd+/28+UzBqp+Z0
1HGgSnpavLYr8lW/ZOD2c2QS/M4VZCqtoczuhrzCeSxUmQlx0WrYGMOF7vn3cS1T
n2ViflLgoVj387oKdM5Mok4AsD/FKISm3IqPRi1ljuvBVEi7iG5UVbzMlNbOB8Zc
/4AODANPxn0k+zhGQqCfNOHHqZNu7WUbb028QcE6hiSUQg5ghAOAVPZZOElut3za
yMwNfR0jXjVmqm8okf76H9BBbqp3OljXIV4WiUzfZIEEprPYh0wI+Zxz+alJ/cfL
csVb+kJrRoQulkCSyZhNkOXer97QaMQMOcpZlMTogxxkzIALnhqOtbJTcmYCU4QW
NuBV0zxQTQ1naglRnUs+9knXPVWwbMel1aXDEp79a0b1kJfAIQQjx3JD50Gu8Wli
zXqx5I7/2X2x7azqP1/VCxHDtjfWAA+hx9nW2jUG+duGa7CLyZA=
=jNFk
-----END PGP SIGNATURE-----
Changed Bug title to 'roundcube: CVE-2023-47272: cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download' from 'roundcube: cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 06 Nov 2023 07:15:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Nov 6 17:55:43 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon