[SECURITY] [DLA 2878-1] roundcube security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2878-1] roundcube security update
From: Sylvain Beucler <beuc@beuc.net>
Date: Wed, 12 Jan 2022 16:39:17 +0100
Message-id: <[🔎] 20220112153917.GA23762@mail.beuc.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2878-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
January 12, 2022                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : roundcube
Version        : 1.2.3+dfsg.1-4+deb9u10
CVE ID         : CVE-2021-46144
Debian Bug     : 1003027

It was discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, did not properly sanitize HTML
messages. This would allow an attacker to perform Cross-Site Scripting
(XSS) attacks.

For Debian 9 stretch, this problem has been fixed in version
1.2.3+dfsg.1-4+deb9u10.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmHe9V0ACgkQDTl9HeUl
XjBnVxAArP71IOzv70OAZk5Cfr6PQkBKy0h0xnG7qnNI4HbNtAJgl2bcgGy8qBIh
Eb+QZduJZc7b0C/jMZbBcmuOkMYC6jhczM5/Z/uhb5OOFYyZ5/XBXg2AYtK5QU9f
RqEzPNljiKMPc6wKZHcPnhDA2aN8HwHRvkVi8VMD9Cp+eZJ6yb1vYDvIcr/uOMdk
Gla2fSSaGJeJ3koiJ3KJBnN9PshKopEgupggUj6ZGWCx+QnURTXvHnQtRHtZevSh
0PgreJSwriwsy+iwSh39nOInvi6mosT/xI1eQ1GwRp1w8s6hoGuxy1pQsnu2Nmmz
OFWwILoF4fe322EAXYy8sjv5YBmpcIQQX+YOkDUzBBcSlw7/PNz8NDBnQPZ6OA5v
5adigWXVlRTz1iOALz6NiegI8/f41wEWIno25RkcqGoct2Ta/VZAF8L7hll9sQ+h
RKOMNGVKhegL7g4fvJH+bdMBlhjdbXRaEyUhVkT2aQ7oqDwak3PM9YSOQmjI+qof
PbhZtfC0xhRn9lgYurBePCAeD2uvfRDJMBfwagBVYd70W3mSkXSjxj0RpOfR0X1Q
LIWMzMJ+pg5Bw5mZ3jm8tEZm23EjBOVTHvVngzEfhF4BkDrx00HUp0HmLIgByN2u
0UTsLkho6pGYE51BEfanoQ2EfS8olAeZsp44dYQuuciwL2rRsTw=
=qqvc
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2877-1] gdal security update
Next by Date: [SECURITY] [DLA 2879-1] ghostscript security update
Previous by thread: [SECURITY] [DLA 2877-1] gdal security update
Next by thread: [SECURITY] [DLA 2879-1] ghostscript security update
Index(es):
- Date
- Thread