openSUSE Local Security Checks : openSUSE Security Advisory (openSUSE-SU-2024:0328-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.856552

Category: openSUSE Local Security Checks

Title: openSUSE Security Advisory (openSUSE-SU-2024:0328-1)

Summary: The remote host is missing an update for the 'roundcubemail' package(s) announced via the openSUSE-SU-2024:0328-1 advisory.

Description: Summary:
The remote host is missing an update for the 'roundcubemail' package(s) announced via the openSUSE-SU-2024:0328-1 advisory.

Vulnerability Insight:
This update for roundcubemail fixes the following issues:

Update to 1.6.8 This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

* Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
* Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
* Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

CHANGELOG

* Managesieve: Protect special scripts in managesieve_kolab_master mode
* Fix newmail_notifier notification focus in Chrome (#9467)
* Fix fatal error when parsing some TNEF attachments (#9462)
* Fix double scrollbar when composing a mail with many plain text lines (#7760)
* Fix decoding mail parts with multiple base64-encoded text blocks (#9290)
* Fix bug where some messages could get malformed in an import from a MBOX file (#9510)
* Fix invalid line break characters in multi-line text in Sieve scripts (#9543)
* Fix bug where 'with attachment' filter could fail on some fts engines (#9514)
* Fix bug where an unhandled exception was caused by an invalid image attachment (#9475)
* Fix bug where a long subject title could not be displayed in some cases (#9416)
* Fix infinite loop when parsing malformed Sieve script (#9562)
* Fix bug where imap_conn_option's 'socket' was ignored (#9566)
* Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
* Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
* Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

Affected Software/OS:
'roundcubemail' package(s) on openSUSE Leap 15.5, openSUSE Leap 15.6.

Solution:
Please install the updated package(s).

CVSS Score:
9.4

CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2024-42008
Common Vulnerability Exposure (CVE) ID: CVE-2024-42009
Common Vulnerability Exposure (CVE) ID: CVE-2024-42010

Copyright Copyright (C) 2024 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.856552
Category:	openSUSE Local Security Checks
Title:	openSUSE Security Advisory (openSUSE-SU-2024:0328-1)
Summary:	The remote host is missing an update for the 'roundcubemail' package(s) announced via the openSUSE-SU-2024:0328-1 advisory.
Description:	Summary: The remote host is missing an update for the 'roundcubemail' package(s) announced via the openSUSE-SU-2024:0328-1 advisory. Vulnerability Insight: This update for roundcubemail fixes the following issues: Update to 1.6.8 This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to recently reported security vulnerabilities: * Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009] * Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008] * Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010] CHANGELOG * Managesieve: Protect special scripts in managesieve_kolab_master mode * Fix newmail_notifier notification focus in Chrome (#9467) * Fix fatal error when parsing some TNEF attachments (#9462) * Fix double scrollbar when composing a mail with many plain text lines (#7760) * Fix decoding mail parts with multiple base64-encoded text blocks (#9290) * Fix bug where some messages could get malformed in an import from a MBOX file (#9510) * Fix invalid line break characters in multi-line text in Sieve scripts (#9543) * Fix bug where 'with attachment' filter could fail on some fts engines (#9514) * Fix bug where an unhandled exception was caused by an invalid image attachment (#9475) * Fix bug where a long subject title could not be displayed in some cases (#9416) * Fix infinite loop when parsing malformed Sieve script (#9562) * Fix bug where imap_conn_option's 'socket' was ignored (#9566) * Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009] * Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008] * Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010] Affected Software/OS: 'roundcubemail' package(s) on openSUSE Leap 15.5, openSUSE Leap 15.6. Solution: Please install the updated package(s). CVSS Score: 9.4 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2024-42008 Common Vulnerability Exposure (CVE) ID: CVE-2024-42009 Common Vulnerability Exposure (CVE) ID: CVE-2024-42010
Copyright	Copyright (C) 2024 Greenbone AG