Advisories » MGASA-2024-0193

Updated roundcubemail packages fix security vulnerabilities

Publication date: 25 May 2024
Modification date: 25 May 2024
Type: security
Affected Mageia releases : 9

Description

This is a security update to the stable version 1.6 of Roundcube
Webmail.
Fix cross-site scripting (XSS) vulnerability in handling SVG animate
attributes.
Reported by Valentin T. and Lutz Wolf of CrowdStrike.
Fix cross-site scripting (XSS) vulnerability in handling list columns
from user preferences.
Reported by Huy Nguyễn Phạm Nhật.
Fix command injection via crafted im_convert_path/im_identify_path on
Windows.
Reported by Huy Nguyễn Phạm Nhật.
This version is considered stable and we recommend to update all
productive installations of Roundcube 1.6.x with it. Please do backup
your data before updating!
                

References

• https://bugs.mageia.org/show_bug.cgi?id=33229
• https://github.com/roundcube/roundcubemail/releases/tag/1.6.7

SRPMS

9/core

• roundcubemail-1.6.7-1.mga9