Mageia 9: 2023-0332 Moderate: Roundcube Cross-Site Scripting Fix
mageia
December 1, 2023
Updated roundcubemail package fixes security vulnerabilities: Fix cross-site scripting (XSS) vulnerability in setting Content-Type/ Content-Disposition for attachment preview/down...
Summary
Updated roundcubemail package fixes security vulnerabilities:
Fix cross-site scripting (XSS) vulnerability in setting Content-Type/
Content-Disposition for attachment preview/download (CVE-2023-47272)
Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML
messages. (CVE-2023-5631)
Some other errors have been fixed:
- Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE
- Fix duplicated Inbox folder on IMAP servers that do not use Inbox
folder with all capital letters
- Fix PHP warnings
- Fix UI issue when dealing with an invalid managesieve_default_headers
value
- Fix bug where images attached to application/smil messages weren't
displayed
- Fix PHP string replacement error in utils/error.php
- Fix regression where smtp_user did not allow pre/post strings
before/after %u placeholder
References
- https://bugs.mageia.org/show_bug.cgi?id=32493
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.4
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.5
- https://www.cve.org/CVERecord?id=CVE-2023-5631
- https://www.cve.org/CVERecord?id=CVE-2023-47272
Topics Covered
Resolution
SRPMS
- 9/core/roundcubemail-1.6.5-1.mga9
PREVIOUS
NEXT
Publication date: 01 Dec 2023
URL: https://advisories.mageia.org/MGASA-2023-0332.html
Type: security
CVE: CVE-2023-5631,
CVE-2023-47272
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!