Overview

File _patchinfo of Package patchinfo.5986

<patchinfo incident="5986">
  <issue id="1001856" tracker="bnc">VUL-0: roundcubemail: 1.1.6 fixes XSS + clickjacking flaw</issue>
  <issue id="1012493" tracker="bnc">VUL-0: roundcubemail: command injection via php mail() additional_parameters</issue>
  <issue id="982003" tracker="bnc">VUL-0: CVE-2016-5103: roundcube: XSS vulnerability in mail content page</issue>
  <issue id="976988" tracker="bnc">VUL-0: CVE-2016-4069: roundcubemail: XSS issue in SVG image handling and protection for download urls against CSRF</issue>
  <issue id="2015-2181" tracker="cve" />
  <issue id="2016-5103" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>aeneas_jaissle</packager>
  <description>
roundcubemail was updated to version 1.1.7 and fixes the following issues:

- Update to 1.1.7
  * A maliciously crafted FROM value could cause extra parameters to be passed
    to the sendmail command (boo#1012493)
  * A maliciously crafted email could cause untrusted code to be executed (cross
    site scripting using $lt;area href=javascript:...&gt;) (boo#982003,
    CVE-2016-5103)
  * Avoid HTML styles that could cause potential click jacking (boo#1001856)

- Update to 1.1.5

  * Fixed security issue in DBMail driver of password plugin (CVE-2015-2181,
    boo#976988)

  </description>
  <summary>Security update for roundcubemail</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places