Overview

File _patchinfo of Package patchinfo.18526

<patchinfo incident="18526">
  <issue tracker="cve" id="2024-42010"/>
  <issue tracker="cve" id="2024-42009"/>
  <issue tracker="cve" id="2024-42008"/>
  <issue tracker="bnc" id="1228901">VUL-0: CVE-2024-42010: mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a insufficiently filters Cascading Style Sheets (CSS) token sequences in rendere
d e-mail messages, allowing a remote attacker to obtain sensitive information.</issue>
  <issue tracker="bnc" id="1228900">VUL-0: CVE-2024-42009: A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via
 a crafted e-mail message that abuses a Desanitization issue in message_bo ...</issue>
  <packager>aeneas_jaissle</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for roundcubemail</summary>
  <description>This update for roundcubemail fixes the following issues:

Update to 1.6.8
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

  * Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
  * Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
  * Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

  CHANGELOG

  * Managesieve: Protect special scripts in managesieve_kolab_master mode
  * Fix newmail_notifier notification focus in Chrome (#9467)
  * Fix fatal error when parsing some TNEF attachments (#9462)
  * Fix double scrollbar when composing a mail with many plain text lines (#7760)
  * Fix decoding mail parts with multiple base64-encoded text blocks (#9290)
  * Fix bug where some messages could get malformed in an import from a MBOX file (#9510)
  * Fix invalid line break characters in multi-line text in Sieve scripts (#9543)
  * Fix bug where "with attachment" filter could fail on some fts engines (#9514)
  * Fix bug where an unhandled exception was caused by an invalid image attachment (#9475)
  * Fix bug where a long subject title could not be displayed in some cases (#9416)
  * Fix infinite loop when parsing malformed Sieve script (#9562)
  * Fix bug where imap_conn_option's 'socket' was ignored (#9566)
  * Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
  * Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
  * Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places