Bugzilla – Bug 1175135
VUL-1: CVE-2020-16145: roundcube -- security update
Last modified: 2020-09-24 16:22:58 UTC
It was discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, is prone to cross-site scripting
vulnerabilities in handling invalid svg and math tag content.
For the stable distribution (buster), this problem has been fixed in
We recommend that you upgrade your roundcube packages.
For the detailed security status of roundcube please refer to its
security tracker page at:
1.2.x, 1.3.x and 1.4.x branches are affected. Upstream fix:
affects Tumbleweed, Leap 15.1 and 15.2
update to 1.4.8 or 1.3.15 respectively should fix the issue
1.4.8 is already available in server:php:applications and on it's way to Factory.
As the update repositories of the affected distributions have the 1.3.6 version, I think updating to 1.3.15 is a good idea (1.4 has many changes that are not incompatible, but the UI changed radically).
I prepared maintenance request 826139 now, fixing the following CVE's:
bsc#1175135 -> CVE-2020-16145
bsc#1173792 -> CVE-2020-15562
bsc#1171148 -> CVE-2020-12641
bsc#1171040 -> CVE-2020-12625
bsc#1171149 -> CVE-2020-12640
CVE-2019-10740 (without bsc number)
Please note: the package had a "have choice" problem with php7 and php7-test. I added a
in the project config of my maintenance repo to get the package built. Maybe this prefer should also be added to the Update repo?
(In reply to Lars Vogdt from comment #3)
> Please note: the package had a "have choice" problem with php7 and
> php7-test. I added a
> Prefer: php7
> in the project config of my maintenance repo to get the package built. Maybe
> this prefer should also be added to the Update repo?
^^^^ I forgot: for Leap 15.1
This is an autogenerated message for OBS integration:
This bug (1175135) was mentioned in
https://build.opensuse.org/request/show/826139 15.1+15.2+Backports:SLE-15-SP1+Backports:SLE-15-SP2 / roundcubemail
openSUSE-SU-2020:1516-1: An update that solves 6 vulnerabilities and has two fixes is now available.
Category: security (moderate)
Bug References: 1115718,1115719,1146286,1171040,1171148,1171149,1173792,1175135
CVE References: CVE-2019-10740,CVE-2020-12625,CVE-2020-12640,CVE-2020-12641,CVE-2020-15562,CVE-2020-16145
openSUSE Leap 15.2 (src): roundcubemail-1.3.15-lp184.108.40.206
openSUSE Leap 15.1 (src): roundcubemail-1.3.15-lp220.127.116.11
openSUSE Backports SLE-15-SP2 (src): roundcubemail-1.3.15-bp18.104.22.168
openSUSE Backports SLE-15-SP1 (src): roundcubemail-1.3.15-bp22.214.171.124