openSUSE Security Update: Security update for roundcubemail
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:1516-1
Rating: moderate
References: #1115718 #1115719 #1146286 #1171040 #1171148
#1171149 #1173792 #1175135
Cross-References: CVE-2019-10740 CVE-2020-12625 CVE-2020-12640
CVE-2020-12641 CVE-2020-15562 CVE-2020-16145

Affected Products:
openSUSE Leap 15.2
openSUSE Leap 15.1
openSUSE Backports SLE-15-SP2
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that solves 6 vulnerabilities and has two fixes
is now available.

Description:

This update for roundcubemail fixes the following issues:

roundcubemail was upgraded to 1.3.15

This is a security update to the LTS version 1.3. (boo#1175135)

* Security: Fix cross-site scripting (XSS) via HTML messages with
malicious svg content [CVE-2020-16145]
* Security: Fix cross-site scripting (XSS) via HTML messages with
malicious math content

From 1.3.14 (boo#1173792 -> CVE-2020-15562)

* Security: Fix cross-site scripting (XSS) via HTML messages with
malicious svg/namespace

From 1.3.13

* Installer: Fix regression in SMTP test section (#7417)

From 1.3.12

* Security: Better fix for CVE-2020-12641 (boo#1171148)
* Security: Fix XSS issue in template object ‘username’ (#7406)
* Security: Fix couple of XSS issues in Installer (#7406)
* Security: Fix cross-site scripting (XSS) via malicious XML attachment

From 1.3.11 (boo#1171148 -> CVE-2020-12641 boo#1171040 -> CVE-2020-12625
boo#1171149 -> CVE-2020-12640)

* Enigma: Fix compatibility with Mail_Mime >= 1.10.5
* Fix permissions on some folders created by bin/install-jsdeps.sh
script (#6930)
* Fix bug where inline images could have been ignored if Content-Id
header contained redundant spaces (#6980)
* Fix PHP Warning: Use of undefined constant LOG_EMERGE (#6991)
* Fix PHP warning: “array_merge(): Expected parameter 2 to be an array,
null given in sendmail.inc (#7003)
* Security: Fix XSS issue in handling of CDATA in HTML messages
* Security: Fix remote code execution via crafted ‘im_convert_path’ or
‘im_identify_path’ settings
* Security: Fix local file inclusion (and code execution) via crafted
‘plugins’ option
* Security: Fix CSRF bypass that could be used to log out an
authenticated user (#7302)

From 1.3.10 (boo#1146286)

* Managesieve: Fix so “Create filter” option does not show up when
Filters menu is disabled (#6723)
* Enigma: Fix bug where revoked users/keys were not greyed out in key
info
* Enigma: Fix error message when trying to encrypt with a revoked key
(#6607)
* Enigma: Fix “decryption oracle” bug [CVE-2019-10740] (#6638)
* Fix compatibility with kolab/net_ldap3 > 1.0.7 (#6785)
* Fix bug where bmp images couldn’t be displayed on some systems (#6728)
* Fix bug in parsing vCard data using PHP 7.3 due to an invalid regexp
(#6744)
* Fix bug where bold/strong text was converted to upper-case on
html-to-text conversion (6758)
* Fix bug in rcube_utils::parse_hosts() where %t, %d, %z could return
only tld (#6746)
* Fix bug where Next/Prev button in mail view didn’t work with
multi-folder search result (#6793)
* Fix bug where selection of columns on messages list wasn’t working
* Fix bug in converting multi-page Tiff images to Jpeg (#6824)
* Fix wrong messages order after returning to a multi-folder search
result (#6836)
* Fix PHP 7.4 deprecation: implode() wrong parameter order (#6866)
* Fix bug where it was possible to bypass the position:fixed CSS check
in received messages (#6898)
* Fix bug where some strict remote URIs in url() style were
unintentionally blocked (#6899)
* Fix bug where it was possible to bypass the CSS jail in HTML messages
using :root pseudo-class (#6897)
* Fix bug where it was possible to bypass href URI check with
data:application/xhtml+xml URIs (#6896)

From 1.3.9 (boo#1115718)

* Fix TinyMCE download location (#6694)
* Fix bug where a message/rfc822 part without a filename wasn’t listed
on the attachments list (#6494)
* Fix handling of empty entries in vCard import (#6564)
* Fix bug in parsing some IMAP command responses that include
unsolicited replies (#6577)
* Fix PHP 7.2 compatibility in debug_logger plugin (#6586)
* Fix so ANY record is not used for email domain validation, use A, MX,
CNAME, AAAA instead (#6581)
* Fix so mime_content_type check in Installer uses files that should
always be available (i.e. from program/resources) (#6599)
* Fix missing CSRF token on a link to download too-big message part
(#6621)
* Fix bug when aborting dragging with ESC key didn’t stop the move
action (#6623)
* Fix bug where next row wasn’t selected after deleting a collapsed
thread (#6655)

From 1.3.8

* Fix PHP warnings on dummy QUOTA responses in Courier-IMAP 4.17.1
(#6374)
* Fix so fallback from BINARY to BODY FETCH is used also on [PARSE]
errors in dovecot 2.3 (#6383)
* Enigma: Fix deleting keys with authentication subkeys (#6381)
* Fix invalid regular expressions that throw warnings on PHP 7.3 (#6398)
* Fix so Classic skin splitter does not escape out of window (#6397)
* Fix XSS issue in handling invalid style tag content (#6410)
* Fix compatibility with MySQL 8 – error on ‘system’ table use
* Managesieve: Fix bug where show_real_foldernames setting wasn’t
respected (#6422)
* New_user_identity: Fix %fu/%u vars substitution in user specific LDAP
params (#6419)
* Fix support for “allow-from <uri>” in “x_frame_options” config option
(#6449)
* Fix bug where valid content between HTML comments could have been
skipped in some cases (#6464)
* Fix multiple VCard field search (#6466)
* Fix session issue on long running requests (#6470)

From 1.3.7 (boo#1115719)

* Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems
without php-intl (#6244)
* Fix bug where some parts of quota information could have been ignored
(#6280)
* Fix bug where some escape sequences in html styles could bypass
security checks
* Fix bug where some forbidden characters on Cyrus-IMAP were not
prevented from use in folder names
* Fix bug where only attachments with the same name would be ignored on
zip download (#6301)
* Fix bug where unicode contact names could have been broken/emptied or
caused DB errors (#6299)
* Fix bug where after “mark all folders as read” action message counters
were not reset (#6307)
* Enigma: [EFAIL] Don’t decrypt PGP messages with no MDC protection
(#6289)
* Fix bug where some HTML comments could have been malformed by HTML
parser (#6333)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.2:

zypper in -t patch openSUSE-2020-1516=1

– openSUSE Leap 15.1:

zypper in -t patch openSUSE-2020-1516=1

– openSUSE Backports SLE-15-SP2:

zypper in -t patch openSUSE-2020-1516=1

– openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2020-1516=1

Package List:

– openSUSE Leap 15.2 (noarch):

roundcubemail-1.3.15-lp152.4.3.1

– openSUSE Leap 15.1 (noarch):

roundcubemail-1.3.15-lp151.3.3.1

– openSUSE Backports SLE-15-SP2 (noarch):

roundcubemail-1.3.15-bp152.4.3.1

– openSUSE Backports SLE-15-SP1 (noarch):

roundcubemail-1.3.15-bp151.4.3.1

References:

https://www.suse.com/security/cve/CVE-2019-10740.html
https://www.suse.com/security/cve/CVE-2020-12625.html
https://www.suse.com/security/cve/CVE-2020-12640.html
https://www.suse.com/security/cve/CVE-2020-12641.html
https://www.suse.com/security/cve/CVE-2020-15562.html
https://www.suse.com/security/cve/CVE-2020-16145.html
https://bugzilla.suse.com/1115718
https://bugzilla.suse.com/1115719
https://bugzilla.suse.com/1146286
https://bugzilla.suse.com/1171040
https://bugzilla.suse.com/1171148
https://bugzilla.suse.com/1171149
https://bugzilla.suse.com/1173792
https://bugzilla.suse.com/1175135

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org