Bugzilla – Bug 1175135
VUL-1: CVE-2020-16145: roundcube -- security update
Last modified: 2020-09-24 16:22:58 UTC
CVE-2020-16145 It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, is prone to cross-site scripting vulnerabilities in handling invalid svg and math tag content. For the stable distribution (buster), this problem has been fixed in version 1.3.15+dfsg.1-1~deb10u1. We recommend that you upgrade your roundcube packages. For the detailed security status of roundcube please refer to its security tracker page at: https://security-tracker.debian.org/tracker/roundcube References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16145 http://www.debian.org/security/-1/dsa-4744 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968216
from [0]: 1.2.x, 1.3.x and 1.4.x branches are affected. Upstream fix: 1.4.x https://github.com/roundcube/roundcubemail/commit/a71bf2e8d4a64ff2c83fdabc1e8cb0c045a41ef4 1.3.x https://github.com/roundcube/roundcubemail/commit/d44ca2308a96576b88d6bf27528964d4fe1a6b8b 1.2.x https://github.com/roundcube/roundcubemail/commit/589d36010048300ed39f4887aab1afd3ae98d00e [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968216
affects Tumbleweed, Leap 15.1 and 15.2 update to 1.4.8 or 1.3.15 respectively should fix the issue
1.4.8 is already available in server:php:applications and on it's way to Factory. As the update repositories of the affected distributions have the 1.3.6 version, I think updating to 1.3.15 is a good idea (1.4 has many changes that are not incompatible, but the UI changed radically). I prepared maintenance request 826139 now, fixing the following CVE's: bsc#1175135 -> CVE-2020-16145 bsc#1173792 -> CVE-2020-15562 bsc#1171148 -> CVE-2020-12641 bsc#1171040 -> CVE-2020-12625 bsc#1171149 -> CVE-2020-12640 CVE-2019-10740 (without bsc number) Please note: the package had a "have choice" problem with php7 and php7-test. I added a Prefer: php7 in the project config of my maintenance repo to get the package built. Maybe this prefer should also be added to the Update repo?
(In reply to Lars Vogdt from comment #3) > Please note: the package had a "have choice" problem with php7 and > php7-test. I added a > Prefer: php7 > in the project config of my maintenance repo to get the package built. Maybe > this prefer should also be added to the Update repo? ^^^^ I forgot: for Leap 15.1
This is an autogenerated message for OBS integration: This bug (1175135) was mentioned in https://build.opensuse.org/request/show/826139 15.1+15.2+Backports:SLE-15-SP1+Backports:SLE-15-SP2 / roundcubemail
Update released.
openSUSE-SU-2020:1516-1: An update that solves 6 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1115718,1115719,1146286,1171040,1171148,1171149,1173792,1175135 CVE References: CVE-2019-10740,CVE-2020-12625,CVE-2020-12640,CVE-2020-12641,CVE-2020-15562,CVE-2020-16145 JIRA References: Sources used: openSUSE Leap 15.2 (src): roundcubemail-1.3.15-lp152.4.3.1 openSUSE Leap 15.1 (src): roundcubemail-1.3.15-lp151.3.3.1 openSUSE Backports SLE-15-SP2 (src): roundcubemail-1.3.15-bp152.4.3.1 openSUSE Backports SLE-15-SP1 (src): roundcubemail-1.3.15-bp151.4.3.1