Updated roundcubemail packages fix security vulnerabilities
Publication date: 29 Apr 2016Modification date: 29 Apr 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-8864 , CVE-2016-4069
Description
Updated roundcubemail packages fix security vulnerabilities:
More security issues in the DBMail driver for the password plugin, related to
CVE-2015-2181.
XSS issue in SVG images handling (CVE-2015-8864).
Lack of protection for attachment download URLs against CSRF (CVE-2016-4069).
The roundcubemail package has been updated to version 1.0.9, fixing these
issues and several other bugs.
References
- https://bugs.mageia.org/show_bug.cgi?id=18257
- http://openwall.com/lists/oss-security/2016/04/23/4
- https://github.com/roundcube/roundcubemail/releases/tag/1.0.9
- http://lists.roundcube.net/pipermail/users/2016-April/011299.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8864
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4069
SRPMS
5/core
- roundcubemail-1.0.9-1.mga5