File _patchinfo of Package patchinfo.18430

<patchinfo incident="18430">
  <issue tracker="bnc" id="1216895">VUL-0: CVE-2023-47272: Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).</issue>
  <issue tracker="cve" id="2023-47272"/>
  <packager>AndreasStieger</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for roundcubemail</summary>
  <description>This update for roundcubemail fixes the following issues:

Update to 1.6.7

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerabilities:

  * Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
    Reported by Valentin T. and Lutz Wolf of CrowdStrike.
  * Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
    Reported by Huy Nguy&#7877;n Ph&#7841;m Nh&#7853;t.
  * Fix command injection via crafted im_convert_path/im_identify_path on Windows.
    Reported by Huy Nguy&#7877;n Ph&#7841;m Nh&#7853;t.

  CHANGELOG

  * Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
  * Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)
  * Fix bug in collapsing/expanding folders with some special characters in names (#9324)
  * Fix PHP8 warnings (#9363, #9365, #9429)
  * Fix missing field labels in CSV import, for some locales (#9393)
  * Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
  * Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
  * Fix command injection via crafted im_convert_path/im_identify_path on Windows

Update to 1.6.6:

  * Fix regression in handling LDAP search_fields configuration parameter (#9210)
  * Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3
  * Fix page jump menu flickering on click (#9196)
  * Update to TinyMCE 5.10.9 security release (#9228)
  * Fix PHP8 warnings (#9235, #9238, #9242, #9306)
  * Fix saving other encryption settings besides enigma's (#9240)
  * Fix unneeded php command use in installto.sh and deluser.sh scripts (#9237)
  * Fix TinyMCE localization installation (#9266)
  * Fix bug where trailing non-ascii characters in email addresses 
    could have been removed in recipient input (#9257)
  * Fix IMAP GETMETADATA command with options - RFC5464

Update to 1.6.5 (boo#1216895):

  * Fix cross-site scripting (XSS) vulnerability in setting 
    Content-Type/Content-Disposition for attachment 
    preview/download  CVE-2023-47272

  Other changes:

  * Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
  * Fix duplicated Inbox folder on IMAP servers that do not use Inbox 
    folder with all capital letters (#9166)
  * Fix PHP warnings (#9174)
  * Fix UI issue when dealing with an invalid managesieve_default_headers 
    value (#9175)
  * Fix bug where images attached to application/smil messages 
    weren't displayed (#8870)
  * Fix PHP string replacement error in utils/error.php (#9185)
  * Fix regression where smtp_user did not allow pre/post strings 
    before/after %u placeholder (#9162)
</description>
</patchinfo>