Roundcube 1.3.5 has been released. It's a bug fix release. These usually work by just renaming the existing ebuild. "It contains fixes to several bugs backported from the master branch. One can be called a minor security fix as it fixes blocking of remote content on specially crafted style tags." Changelog for the curious: https://github.com/roundcube/roundcubemail/releases/tag/1.3.5 Announcement: https://roundcube.net/news/2018/03/15/update-1.3.5-released
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c769016cc36b9803c40f093f3ab9831529ded12 commit 2c769016cc36b9803c40f093f3ab9831529ded12 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2018-04-27 19:41:26 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2018-04-27 19:41:26 +0000 mail-client/roundcube: Bump to 1.3.6 Fixes a security issue related to IMAP command injection. Fixes a XSS concern. Bug: https://bugs.gentoo.org/651124 Bug: https://bugs.gentoo.org/653044 Package-Manager: Portage-2.3.24, Repoman-2.3.6 mail-client/roundcube/Manifest | 1 + mail-client/roundcube/roundcube-1.3.6.ebuild | 99 ++++++++++++++++++++++++++++ 2 files changed, 100 insertions(+)}
GLSA Vote: No Cleanup will happen in bug #653044
