[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content

Hi Sylvain!

On Wed, 12 Jan 2022 at 15:48:51 +0100, Sylvain Beucler wrote:
> On 12/01/2022 14:15, Guilhem Moulin wrote:
>> In a recent post roundcube webmail upstream has announced the following
>> security fix for #1003027.
>>     CVE-2021-46144: Cross-site scripting (XSS) vulnerability via HTML
>>     messages with malicious CSS content.
>> (Upstream only released fixes for 1.4 and 1.5 LTS branches, but 1.2 and
>> 1.3 are affected too and the same fix applies cleanly.  buster- and
>> bullseye-security are no longer affected.)
>> Debdiff against 1.2.3+dfsg.1-4+deb9u9 tested and attached.  I can upload
>> if you'd like but would appreciate if you could take care of the DLA :-)
> Thanks for the update. Go ahead and upload to stretch-security, and I'll
> publish the DLA accordingly :)

Uploaded to security-master, thank you!
> (out of curiosity, was there an issue with keeping the
> "$this->config['charset']" bit from the original patch?)

Ah yeah, forgot to mention that bit :-)  There was no issue as far as I
could tell.  I don't have a strong opinion either way, but given
htmlspecialchars()'s optional 3rd argument was added for 1.4-beta in
I decided to drop it for stretch- and buster-security uploads.


Attachment: signature.asc
Description: PGP signature

Reply to: