937890 – <mail-client/roundcube-1.6.8: XSS vulnerability

Bug 937890 - <mail-client/roundcube-1.6.8: XSS vulnerability

Summary: <mail-client/roundcube-1.6.8: XSS vulnerability

Status:	IN_PROGRESS

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://roundcube.net/news/2024/08/04...
Whiteboard:	B4 [stable]
Keywords:

Depends on:	942099
Blocks:
	Show dependency tree

Reported:	2024-08-13 23:25 UTC by Philippe Chaintreuil
Modified:	2024-10-24 18:45 UTC (History)
CC List:	6 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philippe Chaintreuil 2024-08-13 23:25:04 UTC

Security fixes

    Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
    Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
    Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

Announcement: https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8

Reproducible: Always

Comment 1 Hans de Graaff gentoo-dev

2024-08-14 06:31:18 UTC

We use the Summary version number to refer to versions in the gentoo repository, so I've removed the 1.5.x version since we no longer carry that version.

Please file a stable bug when ready.

Comment 2 John Helmert III archtester

2024-09-22 04:36:29 UTC

Please remember to cc maintainers!

Craig/Aaron - is 1.6.9 a suitable stable candidate?