Re: roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content
On 12/01/2022 14:15, Guilhem Moulin wrote:
In a recent post roundcube webmail upstream has announced the following
security fix for #1003027.
CVE-2021-46144: Cross-site scripting (XSS) vulnerability via HTML
messages with malicious CSS content.
(Upstream only released fixes for 1.4 and 1.5 LTS branches, but 1.2 and
1.3 are affected too and the same fix applies cleanly. buster- and
bullseye-security are no longer affected.)
Debdiff against 1.2.3+dfsg.1-4+deb9u9 tested and attached. I can upload
if you'd like but would appreciate if you could take care of the DLA :-)
Thanks for the update. Go ahead and upload to stretch-security, and I'll
publish the DLA accordingly :)
(out of curiosity, was there an issue with keeping the
"$this->config['charset']" bit from the original patch?)
Debian LTS Team