[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of roundcube?

On 10.06.2016 21:50, Markus Koschany wrote:
> On 09.06.2016 09:45, Brian May wrote:
>> Adrian Zaugg <adi@ente.limmat.ch> writes:
>>> I would vote for a backported 1.0.x version or rather remove 0.7 than 0.9.
>> I couldn't find 1.0.x in Debian, so tried version 1.1.5+dfsg.1-1~bpo8+1
>> from jessie-backports instead.
>> Unfortunately it needs a newer version of libjs-jquery then what is
>> available in Wheezy:
> Hi,
> I just had a closer look at the vulnerabilities. I have marked
> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
> the vulnerable code is not present in this version. There is no upstream
> fix available for CVE-2016-4086.
> That leaves us with CVE-2015-8864 and CVE-2016-4096 whereby the latter
> needs more investigation. Some affected plugins don't exist in Wheezy,
> the rest of the code is quite different.


I have just uploaded a new version of roundcube to fix CVE-2015-8864.
This one is a XSS issue in SVG image handling because roundcube displays
the images without checking for embedded Javascript/HTML/other code.
Upstream solved that partially by filtering the XML code but not all
possible ways to exploit this issue have been addressed so far.
I opted for not displaying the SVG images in separate Tabs and in
e-mails but downloading SVG image attachments is still possible. This is
not the perfect solution but it also mitigates against CVE-2016-4086. I
suggest to keep CVE-2016-4086 open until someone comes up with a better

I couldn't find a good way to address CVE-2016-4096 for Wheezy and I
suggest to keep this one open for now.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: