Fedora 30: 2020-57f2df7424 Critical Security Update for Roundcube XSS

RoundCube Webmail is a browser-based multilingual IMAP client

with an application-like user interface. It provides full

functionality you expect from an e-mail client, including MIME

support, address book, folder manipulation, message searching

and spell checking. RoundCube Webmail is written in PHP and

requires a database: MySQL, PostgreSQL and SQLite are known to

work. The user interface is fully skinnable using XHTML and

CSS 2.

**Version 1.4.4** This is a **service and security update** to the stable

version 1.4 of Roundcube Webmail. It contains four fixes for recently reported

security vulnerabilities as well a number of general improvements from our issue

tracker. - Fix bug where attachments with Content-Id were attached to the

message on reply (#7122) - Fix identity selection on reply when both sender and

recipient addresses are included in identities (#7211) - Elastic: Fix text

selection with Shift+PageUp and Shift+PageDown in plain text editor when using

Chrome (#7230) - Elastic: Fix recipient input bug when using click to select a

contact from autocomplete list (#7231) - Elastic: Fix color of a folder with

recent messages (#7281) - Elastic: Restrict logo size in print view (#7275) -Fix invalid Content-Type for messages with only html part and inline images -Mail_Mime-1.10.7 (#7261) - Fix missing contact display name in QR Code data

(#7257) - Fix so button label in Select image/media dialogs is "Close" not

"Cancel" (#7246) - Fix regression in testing database schema on MSSQL (#7227) -Fix cursor position after inserting a group to a recipient input using

autocompletion (#7267) - Fix string literals handling in IMAP STATUS (and

various other) responses (#7290) - Fix bug where multiple images in a message

were replaced by the first one on forward/reply/edit (#7293) - Fix handling

keyservers configured with protocol prefix (#7295) - Markasjunk: Fix marking as

spam/ham on moving messages with Move menu (#7189) - Markasjunk: Fix bug where

moving to Junk was failing on messages selected with Select > All (#7206) - Fix

so imap error message is displayed to the user on folder create/update (#7245) -Fix bug where a special folder couldn't be created if a special-use flag is not

supported (#7147) - Mailvelope: Fix bug where recipients with name were not

handled properly in mail compose (#7312) - Fix characters encoding in group

rename input after group creation/rename (#7330) - Fix bug where some

message/rfc822 parts could not be attached on forward (#7323) - Make install-jsdeps.sh script working without the 'file' program installed (#7325) - Fix

performance issue of parsing big HTML messages by disabling HTML5 parser for

these (#7331) - Fix so Print button for PDF attachments works on Firefox >= 75

(#5125) - **Security**: Fix XSS issue in handling of CDATA in HTML messages -**Security**: Fix remote code execution via crafted 'im_convert_path' or

'im_identify_path' settings - **Security**: Fix local file inclusion (and code

execution) via crafted 'plugins' option - **Security**: Fix CSRF bypass that

could be used to log out an authenticated user (#7302)

* Thu Apr 30 2020 Remi Collet - 1.4.4-1

- update to 1.4.4

su -c 'dnf upgrade --advisory FEDORA-2020-57f2df7424' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/