Linux Security
    Linux Security
    Linux Security

    openSUSE: 2020:1516-1: moderate: roundcubemail

    Date
    137
    Posted By
    An update that solves 6 vulnerabilities and has two fixes is now available.
       openSUSE Security Update: Security update for roundcubemail
    ______________________________________________________________________________
    
    Announcement ID:    openSUSE-SU-2020:1516-1
    Rating:             moderate
    References:         #1115718 #1115719 #1146286 #1171040 #1171148 
                        #1171149 #1173792 #1175135 
    Cross-References:   CVE-2019-10740 CVE-2020-12625 CVE-2020-12640
                        CVE-2020-12641 CVE-2020-15562 CVE-2020-16145
                       
    Affected Products:
                        openSUSE Leap 15.2
                        openSUSE Leap 15.1
                        openSUSE Backports SLE-15-SP2
                        openSUSE Backports SLE-15-SP1
    ______________________________________________________________________________
    
       An update that solves 6 vulnerabilities and has two fixes
       is now available.
    
    Description:
    
       This update for roundcubemail fixes the following issues:
    
       roundcubemail was upgraded to 1.3.15
    
       This is a security update to the LTS version 1.3. (boo#1175135)
    
         * Security: Fix cross-site scripting (XSS) via HTML messages with
           malicious svg content [CVE-2020-16145]
         * Security: Fix cross-site scripting (XSS) via HTML messages with
           malicious math content
    
       From 1.3.14 (boo#1173792 -> CVE-2020-15562)
    
         * Security: Fix cross-site scripting (XSS) via HTML messages with
           malicious svg/namespace
    
       From 1.3.13
    
         * Installer: Fix regression in SMTP test section (#7417)
    
       From 1.3.12
    
         * Security: Better fix for CVE-2020-12641 (boo#1171148)
         * Security: Fix XSS issue in template object 'username' (#7406)
         * Security: Fix couple of XSS issues in Installer (#7406)
         * Security: Fix cross-site scripting (XSS) via malicious XML attachment
    
       From 1.3.11 (boo#1171148 -> CVE-2020-12641 boo#1171040 -> CVE-2020-12625
       boo#1171149 -> CVE-2020-12640)
    
         * Enigma: Fix compatibility with Mail_Mime >= 1.10.5
         * Fix permissions on some folders created by bin/install-jsdeps.sh
           script (#6930)
         * Fix bug where inline images could have been ignored if Content-Id
           header contained redundant spaces (#6980)
         * Fix PHP Warning: Use of undefined constant LOG_EMERGE (#6991)
         * Fix PHP warning: "array_merge(): Expected parameter 2 to be an array,
           null given in sendmail.inc (#7003)
         * Security: Fix XSS issue in handling of CDATA in HTML messages
         * Security: Fix remote code execution via crafted 'im_convert_path' or
           'im_identify_path' settings
         * Security: Fix local file inclusion (and code execution) via crafted
           'plugins' option
         * Security: Fix CSRF bypass that could be used to log out an
           authenticated user (#7302)
    
       From 1.3.10 (boo#1146286)
    
         * Managesieve: Fix so "Create filter" option does not show up when
           Filters menu is disabled (#6723)
         * Enigma: Fix bug where revoked users/keys were not greyed out in key
           info
         * Enigma: Fix error message when trying to encrypt with a revoked key
           (#6607)
         * Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638)
         * Fix compatibility with kolab/net_ldap3 > 1.0.7 (#6785)
         * Fix bug where bmp images couldn't be displayed on some systems (#6728)
         * Fix bug in parsing vCard data using PHP 7.3 due to an invalid regexp
           (#6744)
         * Fix bug where bold/strong text was converted to upper-case on
           html-to-text conversion (6758)
         * Fix bug in rcube_utils::parse_hosts() where %t, %d, %z could return
           only tld (#6746)
         * Fix bug where Next/Prev button in mail view didn't work with
           multi-folder search result (#6793)
         * Fix bug where selection of columns on messages list wasn't working
         * Fix bug in converting multi-page Tiff images to Jpeg (#6824)
         * Fix wrong messages order after returning to a multi-folder search
           result (#6836)
         * Fix PHP 7.4 deprecation: implode() wrong parameter order (#6866)
         * Fix bug where it was possible to bypass the position:fixed CSS check
           in received messages (#6898)
         * Fix bug where some strict remote URIs in url() style were
           unintentionally blocked (#6899)
         * Fix bug where it was possible to bypass the CSS jail in HTML messages
           using :root pseudo-class (#6897)
         * Fix bug where it was possible to bypass href URI check with
           data:application/xhtml+xml URIs (#6896)
    
       From 1.3.9 (boo#1115718)
    
         * Fix TinyMCE download location (#6694)
         * Fix bug where a message/rfc822 part without a filename wasn't listed
           on the attachments list (#6494)
         * Fix handling of empty entries in vCard import (#6564)
         * Fix bug in parsing some IMAP command responses that include
           unsolicited replies (#6577)
         * Fix PHP 7.2 compatibility in debug_logger plugin (#6586)
         * Fix so ANY record is not used for email domain validation, use A, MX,
           CNAME, AAAA instead (#6581)
         * Fix so mime_content_type check in Installer uses files that should
           always be available (i.e. from program/resources) (#6599)
         * Fix missing CSRF token on a link to download too-big message part
           (#6621)
         * Fix bug when aborting dragging with ESC key didn't stop the move
           action (#6623)
         * Fix bug where next row wasn't selected after deleting a collapsed
           thread (#6655)
    
       From 1.3.8
    
         * Fix PHP warnings on dummy QUOTA responses in Courier-IMAP 4.17.1
           (#6374)
         * Fix so fallback from BINARY to BODY FETCH is used also on [PARSE]
           errors in dovecot 2.3 (#6383)
         * Enigma: Fix deleting keys with authentication subkeys (#6381)
         * Fix invalid regular expressions that throw warnings on PHP 7.3 (#6398)
         * Fix so Classic skin splitter does not escape out of window (#6397)
         * Fix XSS issue in handling invalid style tag content (#6410)
         * Fix compatibility with MySQL 8 - error on 'system' table use
         * Managesieve: Fix bug where show_real_foldernames setting wasn't
           respected (#6422)
         * New_user_identity: Fix %fu/%u vars substitution in user specific LDAP
           params (#6419)
         * Fix support for "allow-from " in "x_frame_options" config option
           (#6449)
         * Fix bug where valid content between HTML comments could have been
           skipped in some cases (#6464)
         * Fix multiple VCard field search (#6466)
         * Fix session issue on long running requests (#6470)
    
       From 1.3.7 (boo#1115719)
    
         * Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems
           without php-intl (#6244)
         * Fix bug where some parts of quota information could have been ignored
           (#6280)
         * Fix bug where some escape sequences in html styles could bypass
           security checks
         * Fix bug where some forbidden characters on Cyrus-IMAP were not
           prevented from use in folder names
         * Fix bug where only attachments with the same name would be ignored on
           zip download (#6301)
         * Fix bug where unicode contact names could have been broken/emptied or
           caused DB errors (#6299)
         * Fix bug where after "mark all folders as read" action message counters
           were not reset (#6307)
         * Enigma: [EFAIL] Don't decrypt PGP messages with no MDC protection
           (#6289)
         * Fix bug where some HTML comments could have been malformed by HTML
           parser (#6333)
    
    
    Patch Instructions:
    
       To install this openSUSE Security Update use the SUSE recommended installation methods
       like YaST online_update or "zypper patch".
    
       Alternatively you can run the command listed for your product:
    
       - openSUSE Leap 15.2:
    
          zypper in -t patch openSUSE-2020-1516=1
    
       - openSUSE Leap 15.1:
    
          zypper in -t patch openSUSE-2020-1516=1
    
       - openSUSE Backports SLE-15-SP2:
    
          zypper in -t patch openSUSE-2020-1516=1
    
       - openSUSE Backports SLE-15-SP1:
    
          zypper in -t patch openSUSE-2020-1516=1
    
    
    
    Package List:
    
       - openSUSE Leap 15.2 (noarch):
    
          roundcubemail-1.3.15-lp152.4.3.1
    
       - openSUSE Leap 15.1 (noarch):
    
          roundcubemail-1.3.15-lp151.3.3.1
    
       - openSUSE Backports SLE-15-SP2 (noarch):
    
          roundcubemail-1.3.15-bp152.4.3.1
    
       - openSUSE Backports SLE-15-SP1 (noarch):
    
          roundcubemail-1.3.15-bp151.4.3.1
    
    
    References:
    
       https://www.suse.com/security/cve/CVE-2019-10740.html
       https://www.suse.com/security/cve/CVE-2020-12625.html
       https://www.suse.com/security/cve/CVE-2020-12640.html
       https://www.suse.com/security/cve/CVE-2020-12641.html
       https://www.suse.com/security/cve/CVE-2020-15562.html
       https://www.suse.com/security/cve/CVE-2020-16145.html
       https://bugzilla.suse.com/1115718
       https://bugzilla.suse.com/1115719
       https://bugzilla.suse.com/1146286
       https://bugzilla.suse.com/1171040
       https://bugzilla.suse.com/1171148
       https://bugzilla.suse.com/1171149
       https://bugzilla.suse.com/1173792
       https://bugzilla.suse.com/1175135
    
    -- 
    

    Advisories

    LinuxSecurity Poll

    Tails is the most secure Linux distro out there.

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /main-polls/41-ubuntu-is-a-more-secure-distro-than-fedora?task=poll.vote&format=json
    41
    radio
    [{"id":"142","title":"Yes - Tails get my vote!","votes":"1","type":"x","order":"1","pct":100,"resources":[]},{"id":"143","title":"Nope - Parrot OS has surpassed Tails in its security and privacy.","votes":"0","type":"x","order":"2","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.