Summary: | <mail-client/roundcube-1.5.0: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | candrews, dennis, gentoo_bugs_peep, titanofold, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1 | ||
Whiteboard: | B3 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 830889 | ||
Bug Blocks: | 711270 |
Description
John Helmert III
2021-11-19 12:54:00 UTC
Another, CVE-2021-44025: Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message. Might just be easiest to drop the 1.4.11 ebuild and stabilize 1.5.0. (That said, historically, Roundcube ebuild bumps are just a straight copy with a new name, so it's not like they're difficult.) (In reply to Philippe Chaintreuil from comment #2) > Might just be easiest to drop the 1.4.11 ebuild and stabilize 1.5.0. > > (That said, historically, Roundcube ebuild bumps are just a straight copy > with a new name, so it's not like they're difficult.) Is 1.5.0 unaffected? (In reply to John Helmert III from comment #3) > Is 1.5.0 unaffected? https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-released says the fixes were already in 1.5.0. (In reply to Philippe Chaintreuil from comment #4) > (In reply to John Helmert III from comment #3) > > Is 1.5.0 unaffected? > > https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17- > released says the fixes were already in 1.5.0. Thanks, please stabilize when ready then. *** Bug 829408 has been marked as a duplicate of this bug. *** Security: can this be closed? There aren't any matching ebuilds in the tree anymore. This still needs a decision on a security advisory, and yes, we are behind with those. |