Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-537-1 roundcube

Debian Security Advisory

DLA-537-1 roundcube -- LTS security update

Date Reported:

30 Jun 2016

Affected Packages:

roundcube

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-8864.

More information:

Roundcube, a webmail solution for IMAP servers, was susceptible to cross-site-scripting (XSS) vulnerabilities when handling SVG images. When right-clicking on the download link of an attached image, it was possible that embedded Javascript could be executed in a separate Tab.

The update disables displaying of SVG images in e-mails and TABS. Downloading attachments is still possible. This security update also mitigates against other ways to exploit this issue in SVG images. (CVE-2016-4068)

For Debian 7 Wheezy, these problems have been fixed in version 0.7.2-9+deb7u3.

We recommend that you upgrade your roundcube packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS