Re: roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious SVG or math content

To: Guilhem Moulin <guilhem@debian.org>, debian-lts@lists.debian.org, pkg-roundcube-maintainers@alioth-lists.debian.net
Subject: Re: roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious SVG or math content
From: Roberto C. Sánchez <roberto@debian.org>
Date: Tue, 11 Aug 2020 14:57:15 -0400
Message-id: <[🔎] 20200811185715.GP13519@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, Guilhem Moulin <guilhem@debian.org>, debian-lts@lists.debian.org, pkg-roundcube-maintainers@alioth-lists.debian.net
In-reply-to: <[🔎] 20200811174048.GO13519@connexer.com>
References: <[🔎] 20200811171157.GA709274@debian.org> <[🔎] 20200811174048.GO13519@connexer.com>

On Tue, Aug 11, 2020 at 01:40:48PM -0400, Roberto C. Sánchez wrote:
> On Tue, Aug 11, 2020 at 07:11:57PM +0200, Guilhem Moulin wrote:
> > Dear security team,
> > 
> > In a recent post roundcube webmail upstream has announced the following
> > security fix for #968216:
> > 
> >     Cross-site scripting (XSS) via HTML messages with malicious SVG
> >     or math content (CVE-2020-16145)
> > 
> > AFAICT CVE-2020-16145 is only about SVG not math, but the upstream
> > commit addresses both so I opened a single bug:
> > https://github.com/roundcube/roundcubemail/commit/589d36010048300ed39f4887aab1afd3ae98d00e
> > 
> > Debdiff tested and attached, but I'd appreciate if you could take care
> > of the DLA :-)
> > 
> > Thanks!
> > Cheers,
> > -- 
> > Guilhem.
> 
> Hi Guilhem,
> 
> I'll take care of it shortly.
> 
I have uploaded the updated, published the DLA to the mailing list and
submitted a Salsa MR for the advisory update on the website.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

Follow-Ups:
- Re: roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious SVG or math content
  - From: Guilhem Moulin <guilhem@debian.org>

References:
- roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious SVG or math content
  - From: Guilhem Moulin <guilhem@debian.org>
- Re: roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious SVG or math content
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: Re: roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious SVG or math content
Next by Date: Re: roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious SVG or math content
Previous by thread: Re: roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious SVG or math content
Next by thread: Re: roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious SVG or math content
Index(es):
- Date
- Thread