[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content

Hello Guilhem,

On 12/01/2022 14:15, Guilhem Moulin wrote:
In a recent post roundcube webmail upstream has announced the following
security fix for #1003027.

     CVE-2021-46144: Cross-site scripting (XSS) vulnerability via HTML
     messages with malicious CSS content.

(Upstream only released fixes for 1.4 and 1.5 LTS branches, but 1.2 and
1.3 are affected too and the same fix applies cleanly.  buster- and
bullseye-security are no longer affected.)

Debdiff against 1.2.3+dfsg.1-4+deb9u9 tested and attached.  I can upload
if you'd like but would appreciate if you could take care of the DLA :-)

Thanks for the update. Go ahead and upload to stretch-security, and I'll publish the DLA accordingly :)

(out of curiosity, was there an issue with keeping the "$this->config['charset']" bit from the original patch?)

Sylvain Beucler
Debian LTS Team

Reply to: