Stay Secure with the Latest Linux Advisories

security advisoryfedoraremote code execution

Fedora 31: FEDORA-2020-35e12da5fe Critical: Roundcube Remote Execution

**Version 1.4.4** This is a **service and security update** to the stable version 1.4 of Roundcube Webmail. It contains four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. - Fix bug where attachments with Content-Id were attached to the message on reply (#7122) - Fix identity selection on reply when both sender and. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-35e12da5fe 2020-05-09 04:11:53.213409 --------------------------------------------------------------------------------Name : roundcubemail Product : Fedora 31 Version : 1.4.4 Release : 1.fc31 URL : https://roundcube.net/ Summary : Round Cube Webmail is a browser-based multilingual IMAP client Description : RoundCube Webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an e-mail client, including MIME support, address book, folder manipulation, message searching and spell checking. RoundCube Webmail is written in PHP and requires a database: MySQL, PostgreSQL and SQLite are known to work. The user interface is fully skinnable using XHTML and CSS 2. --------------------------------------------------------------------------------Update Information: **Version 1.4.4** This is a **service and security update** to the stable version 1.4 of Roundcube Webmail. It contains four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. - Fix bug where attachments with Content-Id were attached to the message on reply (#7122) - Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211) - Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230) - Elastic: Fix recipient input bug when using click to select a contactfrom autocomplete list (#7231) - Elastic: Fix color of a folder with recent messages (#7281) - Elastic: Restrict logo size in print view (#7275) -Fix invalid Content-Type for messages with only html part and inline images -Mail_Mime-1.10.7 (#7261) - Fix missing contact display name in QR Code data (#7257) - Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246) - Fix regression in testing database schema on MSSQL (#7227) -Fix cursor position after inserting a group to a recipient input using autocompletion (#7267) - Fix string literals handling in IMAP STATUS (and various other) responses (#7290) - Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293) - Fix handling keyservers configured with protocol prefix (#7295) - Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189) - Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206) - Fix so imap error message is displayed to the user on folder create/update (#7245) -Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147) - Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312) - Fix characters encoding in group rename input after group creation/rename (#7330) - Fix bug where some message/rfc822 parts could not be attached on forward (#7323) - Make install-jsdeps.sh script working without the 'file' program installed (#7325) - Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331) - Fix so Print button for PDF attachments works on Firefox > = 75 (#5125) - **Security**: Fix XSS issue in handling of CDATA in HTML messages -**Security**: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings - **Security**: Fix local file inclusion (and code execution) via crafted 'plugins' option - **Security**: Fix CSRF bypass that could be used to log out anauthenticated user (#7302) --------------------------------------------------------------------------------ChangeLog: * Thu Apr 30 2020 Remi Collet - 1.4.4-1 - update to 1.4.4 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-35e12da5fe' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ . Critical patch released for Roundcube Webmail tackling several vulnerabilities such as cross-site scripting (XSS) and remote command execution flaws.. Roundcube Webmail Update,Fedora Security Advisory,Remote Code Execution,CSRF Bypass,Security Fixes. . Severity: Critical. LinuxSecurity.com Team

May 09, 2020 •Critical Fedora