From ${URL} : A 1.2.0 release of roundcubemail fixed an XSS vulnerability in href attribute on area tag. External references: https://github.com/roundcube/roundcubemail/issues/5240 Upstream fix: https://github.com/roundcube/roundcubemail/pull/5241 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Thank you to Kim Sindalsen and Philippe Chaintreuil for working on this. I failed to thank them in the commit. I stared at it for several minutes thinking I was forgetting something, and not being able to remember, pushed it. Stabilization target: =mail-client/roundcube-1.2.0 ~amd64 ~arm ~ppc ~x86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ commit 4d31c895c86b85f0fec9effbaf37b55c8a2229fb Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Sun May 29 13:35:04 2016 -0400 mail-client/roundcube: Fix Multiple Vulnerabilities Many security issues/enhancements are resolved with this release. The most significant being: * Fix (again) security issue in DBMail driver of password plugin (CVE-2015-2181) * Fix path traversal vulnerability in setting a skin (CVE-2015-8770) * Fix XSS issue in SVG images handling * Fix XSS issue in href attribute on area tag You can find the complete list of changes in the included CHANGELOG or at: https://github.com/roundcube/roundcubemail/wiki/Changelog Bug: 580746, 584200, 584098 Package-Manager: portage-2.2.26
amd64 stable
x86 stable
arm stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
Tree is clean. GLSA Vote: No