CVSROOT: /cvs
Module name: ports
Changes by: [email protected] 2020/04/29 17:19:13
Modified files:
mail/roundcubemail: Tag: OPENBSD_6_6 Makefile distinfo
mail/roundcubemail/pkg: Tag: OPENBSD_6_6 PLIST
Removed files:
mail/roundcubemail/patches: Tag: OPENBSD_6_6
patch-program_lib_Roundcube_rcube_ldap_generic_php
Log message:
security update for -stable to roundcubemail-1.3.11
Security fixes:
- Cross-Site Scripting (XSS) via malicious HTML content
- CSRF attack can cause an authenticated user to be logged out
- Remote code execution via crafted config options
- Path traversal vulnerability allowing local file inclusion via crafted
'plugins' option
The latter two vulnerabilities are classified minor because they only
affect Roundcube installations with public access to the Roundcube
installer. Thatâs generally a high-risk situation and is expected to be
rare or practically non-existent in productive Roundcube deployments.
However, the fixes are done in core in order to also prevent from future
and yet unknown attack vectors.
Changelog at https://github.com/roundcube/roundcubemail/releases/tag/1.3.11
