Fedora 40: roundcubemail 2024-2e908e829a Security Advisory Updates
Summary
RoundCube Webmail is a browser-based multilingual IMAP client
with an application-like user interface. It provides full
functionality you expect from an e-mail client, including MIME
support, address book, folder manipulation, message searching
and spell checking. RoundCube Webmail is written in PHP and
requires a database: MySQL, PostgreSQL and SQLite are known to
work. The user interface is fully skinnable using XHTML and
CSS 2.
Update Information:
Version 1.6.8 Managesieve: Protect special scripts in managesieve_kolab_master mode Fix newmail_notifier notification focus in Chrome (#9467) Fix fatal error when parsing some TNEF attachments (#9462) Fix double scrollbar when composing a mail with many plain text lines (#7760) Fix decoding mail parts with multiple base64-encoded text blocks (#9290) Fix bug where some messages could get malformed in an import from a MBOX file (#9510) Fix invalid line break characters in multi-line text in Sieve scripts (#9543) Fix bug where "with attachment" filter could fail on some fts engines (#9514) Fix bug where an unhandled exception was caused by an invalid image attachment (#9475) Fix bug where a long subject title could not be displayed in some cases (#9416) Fix infinite loop when parsing malformed Sieve script (#9562) Fix bug where imap_conn_option's 'socket' was ignored (#9566) Fix XSS vulnerability in post-processing of sanitized HTML content CVE-2024-42009 Fix XSS vulnerability in serving of attachments other than HTML or SVG CVE-2024-42008 Fix information leak (access to remote content) via insufficient CSS filtering CVE-2024-42010
Change Log
* Mon Aug 5 2024 Remi Collet
References
[ 1 ] Bug #2303071 - CVE-2024-42008 roundcubemail: A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube [fedora-40] https://bugzilla.redhat.com/show_bug.cgi?id=2303071 [ 2 ] Bug #2303076 - CVE-2024-42009 roundcubemail: A Cross-Site Scripting vulnerability in Roundcube [fedora-40] https://bugzilla.redhat.com/show_bug.cgi?id=2303076 [ 3 ] Bug #2303096 - CVE-2024-42010 roundcubemail: information leak due to insufficient CSS filtering [fedora-40] https://bugzilla.redhat.com/show_bug.cgi?id=2303096
Update Instructions
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-2e908e829a' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label