[SECURITY] [DLA 537-1] roundcube security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : roundcube
Version : 0.7.2-9+deb7u3
CVE ID : CVE-2015-8864
Roundcube, a webmail solution for IMAP servers, was susceptible to
cross-site-scripting (XSS) vulnerabilities when handling SVG images.
When right-clicking on the download link of an attached image, it was
possible that embedded Javascript could be executed in a separate Tab.
The update disables displaying of SVG images in e-mails and TABS.
Downloading attachments is still possible. This security update also
mitigates against other ways to exploit this issue in SVG images.
(CVE-2016-4068)
For Debian 7 "Wheezy", these problems have been fixed in version
0.7.2-9+deb7u3.
We recommend that you upgrade your roundcube packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQJ8BAEBCgBmBQJXdYzDXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkAgsP/jx4fL6YGdkQCD86IhEtEo+X
wfx6QewFZNuskKFpipH926E1dOd8QoMd+HsTDhPEsE6cuUpc8uBgDXv3xbxgvv3o
+XGO2PTVUL8mjXfVZXLjUrHKD37oBUD2GR3bX1COu/SbWe9lmdNNdGhdSP3ZQCKQ
SMrWqYmnguh+I0j/FVq7vhQTz+cjO56nQM+htfQzoE1mISrAJBJ2K0Fh50bcaWmR
nQX2d8nOxqm3pxZosCxfgPBzX6l7S4uGzxjW1HYe1TJ4slr5yREPO050EAAQqFY2
A4sUw3eO8s7KyuUK+v1W7sVjmFrFa440O/mM97xPrBG+zs1bzmK9MGBPbumiP6Iw
oPa+RUQj9DM5Mg9dpgFJg8BC/mKm0j2At2AhSF/nc+M4sKFW63ZtPc5EWKST6wjx
wV09i4ybN37QEyxx9VAi53eZcjMgq6z4/RFzwcBBjWfaz926eOlvs/I7/lZ3qW59
HKU562+YX4tcvtyh9AgqcPElSlv1x3MnQB519FcWf/2pYFVThr0ZBMXeHV/94qxO
9luNuIPWog0kUIHlWVhls/5T3I32ZJb23f7/QUNJX9TQ9yw/0rQVou+pjqkmWp8f
VvTd5SlEXLt4RZBlNlCD2wNpweo4BFUO93YWnoRnqmoeBMIq9VdzlS2VdZZwp61/
f4z3fMvnATewg3u3++zQ
=/N4m
-----END PGP SIGNATURE-----
Reply to: