OPENSUSE-SU-2023:0285-1
Vulnerability from csaf_opensuse - Published: 2023-10-02 10:01 - Updated: 2023-10-02 10:01Summary
Security update for roundcubemail
Notes
Title of the patch
Security update for roundcubemail
Description of the patch
This update for roundcubemail fixes the following issues:
Update to 1.6.3 (boo#1215433)
* Fix bug where installto.sh/update.sh scripts were removing some
essential options from the config file (#9051)
* Update jQuery-UI to version 1.13.2 (#9041)
* Fix regression that broke use_secure_urls feature (#9052)
* Fix potential PHP fatal error when opening a message with
message/rfc822 part (#8953)
* Fix bug where a duplicate <title> tag in HTML email could cause some
parts being cut off (#9029)
* Fix bug where a list of folders could have been sorted
incorrectly (#9057)
* Fix regression where LDAP addressbook 'filter' option was
ignored (#9061)
* Fix wrong order of a multi-folder search result when sorting by
size (#9065)
* Fix so install/update scripts do not require PEAR (#9037)
* Fix regression where some mail parts could have been decoded
incorrectly, or not at all (#9096)
* Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to
non-binary FETCH (#9097)
* Fix PHP8 deprecation warning in the reconnect plugin (#9083)
* Fix 'Show source' on mobile with x_frame_options = deny (#9084)
* Fix various PHP warnings (#9098)
* Fix deprecated use of ldap_connect() in password's ldap_simple driver (#9060)
* Fix cross-site scripting (XSS) vulnerability in handling of linkrefs
in plain text messages
Update to 1.6.2
* Add Uyghur localization
* Fix regression in OAuth request URI caused by use of REQUEST_URI
instead of SCRIPT_NAME as a default (#8878)
* Fix bug where false attachment reminder was displayed on HTML mail
with inline images (#8885)
* Fix bug where a non-ASCII character in app.js could cause error in
javascript engine (#8894)
* Fix JWT decoding with url safe base64 schema (#8890)
* Fix bug where .wav instead of .mp3 file was used for the new mail
notification in Firefox (#8895)
* Fix PHP8 warning (#8891)
* Fix support for Windows-31J charset (#8869)
* Fix so LDAP VLV option is disabled by default as documented (#8833)
* Fix so an email address with name is supported as input to the managesieve
notify :from parameter (#8918)
* Fix Help plugin menu (#8898)
* Fix invalid onclick handler on the logo image when using non-array
skin_logo setting (#8933)
* Fix duplicate recipients in 'To' and 'Cc' on reply (#8912)
* Fix bug where it wasn't possible to scroll lists by clicking middle
mouse button (#8942)
* Fix bug where label text in a single-input dialog could be partially
invisible in some locales (#8905)
* Fix bug where LDAP (fulltext) search didn't work without 'search_fields'
in config (#8874)
* Fix extra leading newlines in plain text converted from HTML (#8973)
* Fix so recipients with a domain ending with .s are allowed (#8854)
* Fix so vCard output does not contain non-standard/redundant TYPE=OTHER
and TYPE=INTERNET (#8838)
* Fix QR code images for contacts with non-ASCII characters (#9001)
* Fix PHP8 warnings when using list_flags and list_cols properties by
plugins (#8998)
* Fix bug where subfolders could loose subscription on parent folder
rename (#8892)
* Fix connecting to LDAP using an URI with ldapi:// scheme (#8990)
* Fix insecure shell command params handling in cmd_learn driver of markasjunk
plugin (#9005)
* Fix bug where some mail headers didn't work in cmd_learn driver of markasjunk
plugin (#9005)
* Fix PHP fatal error when importing vcf file using PHP 8.2 (#9025)
* Fix so output of log_date_format with microseconds contains time in server
time zone, not UTC
Patchnames
openSUSE-2023-285
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for roundcubemail",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for roundcubemail fixes the following issues:\n\nUpdate to 1.6.3 (boo#1215433)\n\n* Fix bug where installto.sh/update.sh scripts were removing some\n essential options from the config file (#9051)\n* Update jQuery-UI to version 1.13.2 (#9041)\n* Fix regression that broke use_secure_urls feature (#9052)\n* Fix potential PHP fatal error when opening a message with\n message/rfc822 part (#8953)\n* Fix bug where a duplicate \u003ctitle\u003e tag in HTML email could cause some\n parts being cut off (#9029)\n* Fix bug where a list of folders could have been sorted\n incorrectly (#9057)\n* Fix regression where LDAP addressbook \u0027filter\u0027 option was\n ignored (#9061)\n* Fix wrong order of a multi-folder search result when sorting by\n size (#9065)\n* Fix so install/update scripts do not require PEAR (#9037)\n* Fix regression where some mail parts could have been decoded\n incorrectly, or not at all (#9096)\n* Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to\n non-binary FETCH (#9097)\n* Fix PHP8 deprecation warning in the reconnect plugin (#9083)\n* Fix \u0027Show source\u0027 on mobile with x_frame_options = deny (#9084)\n* Fix various PHP warnings (#9098)\n* Fix deprecated use of ldap_connect() in password\u0027s ldap_simple driver (#9060)\n* Fix cross-site scripting (XSS) vulnerability in handling of linkrefs\n in plain text messages\n\nUpdate to 1.6.2\n\n* Add Uyghur localization\n* Fix regression in OAuth request URI caused by use of REQUEST_URI\n instead of SCRIPT_NAME as a default (#8878)\n* Fix bug where false attachment reminder was displayed on HTML mail\n with inline images (#8885)\n* Fix bug where a non-ASCII character in app.js could cause error in\n javascript engine (#8894)\n* Fix JWT decoding with url safe base64 schema (#8890)\n* Fix bug where .wav instead of .mp3 file was used for the new mail\n notification in Firefox (#8895)\n* Fix PHP8 warning (#8891)\n* Fix support for Windows-31J charset (#8869)\n* Fix so LDAP VLV option is disabled by default as documented (#8833)\n* Fix so an email address with name is supported as input to the managesieve\n notify :from parameter (#8918)\n* Fix Help plugin menu (#8898)\n* Fix invalid onclick handler on the logo image when using non-array\n skin_logo setting (#8933)\n* Fix duplicate recipients in \u0027To\u0027 and \u0027Cc\u0027 on reply (#8912)\n* Fix bug where it wasn\u0027t possible to scroll lists by clicking middle\n mouse button (#8942)\n* Fix bug where label text in a single-input dialog could be partially\n invisible in some locales (#8905)\n* Fix bug where LDAP (fulltext) search didn\u0027t work without \u0027search_fields\u0027\n in config (#8874)\n* Fix extra leading newlines in plain text converted from HTML (#8973)\n* Fix so recipients with a domain ending with .s are allowed (#8854)\n* Fix so vCard output does not contain non-standard/redundant TYPE=OTHER\n and TYPE=INTERNET (#8838)\n* Fix QR code images for contacts with non-ASCII characters (#9001)\n* Fix PHP8 warnings when using list_flags and list_cols properties by\n plugins (#8998)\n* Fix bug where subfolders could loose subscription on parent folder\n rename (#8892)\n* Fix connecting to LDAP using an URI with ldapi:// scheme (#8990)\n* Fix insecure shell command params handling in cmd_learn driver of markasjunk\n plugin (#9005)\n* Fix bug where some mail headers didn\u0027t work in cmd_learn driver of markasjunk\n plugin (#9005)\n* Fix PHP fatal error when importing vcf file using PHP 8.2 (#9025)\n* Fix so output of log_date_format with microseconds contains time in server\n time zone, not UTC\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2023-285",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2023_0285-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2023:0285-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FES4IKTZTYNBS3TCVPNOFHD7POSFJHYY/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2023:0285-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FES4IKTZTYNBS3TCVPNOFHD7POSFJHYY/"
},
{
"category": "self",
"summary": "SUSE Bug 1215433",
"url": "https://bugzilla.suse.com/1215433"
}
],
"title": "Security update for roundcubemail",
"tracking": {
"current_release_date": "2023-10-02T10:01:50Z",
"generator": {
"date": "2023-10-02T10:01:50Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2023:0285-1",
"initial_release_date": "2023-10-02T10:01:50Z",
"revision_history": [
{
"date": "2023-10-02T10:01:50Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "roundcubemail-1.6.3-bp155.2.3.1.noarch",
"product": {
"name": "roundcubemail-1.6.3-bp155.2.3.1.noarch",
"product_id": "roundcubemail-1.6.3-bp155.2.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP5",
"product": {
"name": "SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "roundcubemail-1.6.3-bp155.2.3.1.noarch as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:roundcubemail-1.6.3-bp155.2.3.1.noarch"
},
"product_reference": "roundcubemail-1.6.3-bp155.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "roundcubemail-1.6.3-bp155.2.3.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:roundcubemail-1.6.3-bp155.2.3.1.noarch"
},
"product_reference": "roundcubemail-1.6.3-bp155.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
}
]
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…