Debian Security Advisory

DLA-537-1 roundcube -- LTS security update

Date Reported:
30 Jun 2016
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2015-8864.
More information:

Roundcube, a webmail solution for IMAP servers, was susceptible to cross-site-scripting (XSS) vulnerabilities when handling SVG images. When right-clicking on the download link of an attached image, it was possible that embedded Javascript could be executed in a separate Tab.

The update disables displaying of SVG images in e-mails and TABS. Downloading attachments is still possible. This security update also mitigates against other ways to exploit this issue in SVG images. (CVE-2016-4068)

For Debian 7 Wheezy, these problems have been fixed in version 0.7.2-9+deb7u3.

We recommend that you upgrade your roundcube packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: