On Tue, Aug 11, 2020 at 01:40:48PM -0400, Roberto C. Sánchez wrote: > On Tue, Aug 11, 2020 at 07:11:57PM +0200, Guilhem Moulin wrote: > > Dear security team, > > > > In a recent post roundcube webmail upstream has announced the following > > security fix for #968216: > > > > Cross-site scripting (XSS) via HTML messages with malicious SVG > > or math content (CVE-2020-16145) > > > > AFAICT CVE-2020-16145 is only about SVG not math, but the upstream > > commit addresses both so I opened a single bug: > > https://github.com/roundcube/roundcubemail/commit/589d36010048300ed39f4887aab1afd3ae98d00e > > > > Debdiff tested and attached, but I'd appreciate if you could take care > > of the DLA :-) > > > > Thanks! > > Cheers, > > -- > > Guilhem. > > Hi Guilhem, > > I'll take care of it shortly. > I have uploaded the updated, published the DLA to the mailing list and submitted a Salsa MR for the advisory update on the website.
Regards, -Roberto -- Roberto C. Sánchez