Hi Sylvain! On Wed, 12 Jan 2022 at 15:48:51 +0100, Sylvain Beucler wrote: > On 12/01/2022 14:15, Guilhem Moulin wrote: >> In a recent post roundcube webmail upstream has announced the following >> security fix for #1003027. >> >> CVE-2021-46144: Cross-site scripting (XSS) vulnerability via HTML >> messages with malicious CSS content. >> >> (Upstream only released fixes for 1.4 and 1.5 LTS branches, but 1.2 and >> 1.3 are affected too and the same fix applies cleanly. buster- and >> bullseye-security are no longer affected.) >> >> Debdiff against 1.2.3+dfsg.1-4+deb9u9 tested and attached. I can upload >> if you'd like but would appreciate if you could take care of the DLA :-) > > Thanks for the update. Go ahead and upload to stretch-security, and I'll > publish the DLA accordingly :) Uploaded to security-master, thank you! > (out of curiosity, was there an issue with keeping the > "$this->config['charset']" bit from the original patch?) Ah yeah, forgot to mention that bit :-) There was no issue as far as I could tell. I don't have a strong opinion either way, but given htmlspecialchars()'s optional 3rd argument was added for 1.4-beta in https://github.com/roundcube/roundcubemail/commit/73ea8f94d01a87c3b9e83c96d1b795ca27151f16 I decided to drop it for stretch- and buster-security uploads. Cheers, -- Guilhem.
Attachment:
signature.asc
Description: PGP signature