Bug 651124

Summary:	<mail-client/roundcube-1.3.6: XSS
Product:	Gentoo Security	Reporter:	Philippe Chaintreuil <gentoo_bugs_2_peep>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	gentoo_bugs_2_peep, titanofold, web-apps
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=650912
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:	653044
Bug Blocks:

Description Philippe Chaintreuil 2018-03-21 23:13:18 UTC

Roundcube 1.3.5 has been released.  It's a bug fix release.  These usually work by just renaming the existing ebuild.

"It contains fixes to several bugs backported from the master branch. One can be called a minor security fix as it fixes blocking of remote content on specially crafted style tags."

Changelog for the curious: https://github.com/roundcube/roundcubemail/releases/tag/1.3.5

Announcement: https://roundcube.net/news/2018/03/15/update-1.3.5-released

Comment 1 Larry the Git Cow gentoo-dev

2018-04-27 19:41:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c769016cc36b9803c40f093f3ab9831529ded12

commit 2c769016cc36b9803c40f093f3ab9831529ded12
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2018-04-27 19:41:26 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2018-04-27 19:41:26 +0000

    mail-client/roundcube: Bump to 1.3.6
    
    Fixes a security issue related to IMAP command injection.
    
    Fixes a XSS concern.
    
    Bug: https://bugs.gentoo.org/651124
    Bug: https://bugs.gentoo.org/653044
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 mail-client/roundcube/Manifest               |  1 +
 mail-client/roundcube/roundcube-1.3.6.ebuild | 99 ++++++++++++++++++++++++++++
 2 files changed, 100 insertions(+)}

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2018-04-30 22:47:06 UTC

GLSA Vote: No

Cleanup will happen in bug #653044