We just published security updates to the 1.7 and 1.6 LTS versions of
Roundcube Webmail. They both contain fixes for recently reported
security vulnerabilities.
Security fixes:
- Fix stored XSS/HTML/CSS injection in subject field of the draft
restore dialog, reported by zazy
- Fix CSS injection bypass in HTML sanitizer via SVG `<animate
attributeName="style">`, reported by wooseokdotkim
- Fix pre-auth SQL injection in virtuser_query plugin via preg_replace
backslash escape bypass, reported by skull
- Fix SSRF bypass via specific local address URLs
- Fix local/private URL fetch bypass when remote resources were not
allowed, reported by Orange Cyberdefense Vulnerability Disclosure Team
- Fix bypass of remote image blocking via CSS var(), reported by Geame
- Fix pre-auth arbitrary file delete via redis/memcache session
poisoning bypass, reported by valent1
- Fix code injection vulnerability - remove support for code evaluation
in LDAP `autovalues` option, reported by Glendaenri
See the full changelogs in the release notes on the Github download
pages for the updated versions 1.7.1 and 1.6.16.
https://github.com/roundcube/roundcubemail/releases/tag/1.7.1
https://github.com/roundcube/roundcubemail/releases/tag/1.6.16
We strongly recommend to update all productive installations of
Roundcube 1.6.x and 1.7.x with this new versions.
--
Alec
_______________________________________________
Users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
