UbuntuUpdates.org

Package "roundcube"

Name: roundcube

Description:

skinnable AJAX based webmail solution for IMAP servers - metapackage

Latest version: 1.6.2+dfsg-1ubuntu0.2
Release: mantic (23.10)
Level: updates
Repository: universe
Homepage: https://www.roundcube.net/

Links


Download "roundcube"


Other versions of "roundcube" in Mantic

Repository Area Version
base universe 1.6.2+dfsg-1
security universe 1.6.2+dfsg-1ubuntu0.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.6.2+dfsg-1ubuntu0.2 2024-06-25 19:07:08 UTC

  roundcube (1.6.2+dfsg-1ubuntu0.2) mantic-security; urgency=medium

  * SECURITY UPDATE: Cross-site Scripting
    - debian/patches/CVE-2023-47272.patch: Fix cross-site scripting
      (XSS) vulnerability in setting Content-Type/Content-Disposition for
      attachment preview/download
    - debian/patches/CVE-2023-5631.patch: Fix cross-site scripting (XSS)
      vulnerability in handling of SVG in HTML messages (#9168)
    - debian/patches/CVE-2024-37383.patch: Fix cross-site scripting
      (XSS) vulnerability in handling SVG animate attributes
    - debian/patches/CVE-2024-37384.patch: Fix cross-site scripting
      (XSS) vulnerability in handling list columns from user preferences
      MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-
      Transfer-Encoding: 8bit
    - CVE-2023-47272
    - CVE-2023-5631
    - CVE-2024-37383
    - CVE-2024-37384

 -- Allen Huang <email address hidden> Thu, 20 Jun 2024 11:48:48 +0100

Source diff to previous version
CVE-2023-47272 Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or downl
CVE-2023-5631 Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because
CVE-2024-37383 Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
CVE-2024-37384 Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.

Version: 1.6.2+dfsg-1ubuntu0.1 2024-02-26 07:06:51 UTC

  roundcube (1.6.2+dfsg-1ubuntu0.1) mantic-security; urgency=medium

  * SECURITY UPDATE: cross-site scripting vulnerability
    - debian/patches/CVE-2023-43770.patch: Fix cross-site scripting (XSS)
      vulnerability in handling of linkrefs in plain text messages
    - CVE-2023-43770

 -- Nishit Majithia <email address hidden> Fri, 23 Feb 2024 10:31:46 +0530

CVE-2023-43770 Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/l



About   -   Send Feedback to @ubuntu_updates