   openSUSE Security Update: Security update for roundcubemail
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2020:1516-1
Rating:             moderate
References:         #1115718 #1115719 #1146286 #1171040 #1171148 
                    #1171149 #1173792 #1175135 
Cross-References:   CVE-2019-10740 CVE-2020-12625 CVE-2020-12640
                    CVE-2020-12641 CVE-2020-15562 CVE-2020-16145
                   
Affected Products:
                    openSUSE Leap 15.2
                    openSUSE Leap 15.1
                    openSUSE Backports SLE-15-SP2
                    openSUSE Backports SLE-15-SP1
______________________________________________________________________________

   An update that solves 6 vulnerabilities and has two fixes
   is now available.

Description:

   This update for roundcubemail fixes the following issues:

   roundcubemail was upgraded to 1.3.15

   This is a security update to the LTS version 1.3. (boo#1175135)

     * Security: Fix cross-site scripting (XSS) via HTML messages with
       malicious svg content [CVE-2020-16145]
     * Security: Fix cross-site scripting (XSS) via HTML messages with
       malicious math content

   From 1.3.14 (boo#1173792 -> CVE-2020-15562)

     * Security: Fix cross-site scripting (XSS) via HTML messages with
       malicious svg/namespace

   From 1.3.13

     * Installer: Fix regression in SMTP test section (#7417)

   From 1.3.12

     * Security: Better fix for CVE-2020-12641 (boo#1171148)
     * Security: Fix XSS issue in template object 'username' (#7406)
     * Security: Fix couple of XSS issues in Installer (#7406)
     * Security: Fix cross-site scripting (XSS) via malicious XML attachment

   From 1.3.11 (boo#1171148 -> CVE-2020-12641 boo#1171040 -> CVE-2020-12625
   boo#1171149 -> CVE-2020-12640)

     * Enigma: Fix compatibility with Mail_Mime >= 1.10.5
     * Fix permissions on some folders created by bin/install-jsdeps.sh
       script (#6930)
     * Fix bug where inline images could have been ignored if Content-Id
       header contained redundant spaces (#6980)
     * Fix PHP Warning: Use of undefined constant LOG_EMERGE (#6991)
     * Fix PHP warning: "array_merge(): Expected parameter 2 to be an array,
       null given in sendmail.inc (#7003)
     * Security: Fix XSS issue in handling of CDATA in HTML messages
     * Security: Fix remote code execution via crafted 'im_convert_path' or
       'im_identify_path' settings
     * Security: Fix local file inclusion (and code execution) via crafted
       'plugins' option
     * Security: Fix CSRF bypass that could be used to log out an
       authenticated user (#7302)

   From 1.3.10 (boo#1146286)

     * Managesieve: Fix so "Create filter" option does not show up when
       Filters menu is disabled (#6723)
     * Enigma: Fix bug where revoked users/keys were not greyed out in key
       info
     * Enigma: Fix error message when trying to encrypt with a revoked key
       (#6607)
     * Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638)
     * Fix compatibility with kolab/net_ldap3 > 1.0.7 (#6785)
     * Fix bug where bmp images couldn't be displayed on some systems (#6728)
     * Fix bug in parsing vCard data using PHP 7.3 due to an invalid regexp
       (#6744)
     * Fix bug where bold/strong text was converted to upper-case on
       html-to-text conversion (6758)
     * Fix bug in rcube_utils::parse_hosts() where %t, %d, %z could return
       only tld (#6746)
     * Fix bug where Next/Prev button in mail view didn't work with
       multi-folder search result (#6793)
     * Fix bug where selection of columns on messages list wasn't working
     * Fix bug in converting multi-page Tiff images to Jpeg (#6824)
     * Fix wrong messages order after returning to a multi-folder search
       result (#6836)
     * Fix PHP 7.4 deprecation: implode() wrong parameter order (#6866)
     * Fix bug where it was possible to bypass the position:fixed CSS check
       in received messages (#6898)
     * Fix bug where some strict remote URIs in url() style were
       unintentionally blocked (#6899)
     * Fix bug where it was possible to bypass the CSS jail in HTML messages
       using :root pseudo-class (#6897)
     * Fix bug where it was possible to bypass href URI check with
       data:application/xhtml+xml URIs (#6896)

   From 1.3.9 (boo#1115718)

     * Fix TinyMCE download location (#6694)
     * Fix bug where a message/rfc822 part without a filename wasn't listed
       on the attachments list (#6494)
     * Fix handling of empty entries in vCard import (#6564)
     * Fix bug in parsing some IMAP command responses that include
       unsolicited replies (#6577)
     * Fix PHP 7.2 compatibility in debug_logger plugin (#6586)
     * Fix so ANY record is not used for email domain validation, use A, MX,
       CNAME, AAAA instead (#6581)
     * Fix so mime_content_type check in Installer uses files that should
       always be available (i.e. from program/resources) (#6599)
     * Fix missing CSRF token on a link to download too-big message part
       (#6621)
     * Fix bug when aborting dragging with ESC key didn't stop the move
       action (#6623)
     * Fix bug where next row wasn't selected after deleting a collapsed
       thread (#6655)

   From 1.3.8

     * Fix PHP warnings on dummy QUOTA responses in Courier-IMAP 4.17.1
       (#6374)
     * Fix so fallback from BINARY to BODY FETCH is used also on [PARSE]
       errors in dovecot 2.3 (#6383)
     * Enigma: Fix deleting keys with authentication subkeys (#6381)
     * Fix invalid regular expressions that throw warnings on PHP 7.3 (#6398)
     * Fix so Classic skin splitter does not escape out of window (#6397)
     * Fix XSS issue in handling invalid style tag content (#6410)
     * Fix compatibility with MySQL 8 - error on 'system' table use
     * Managesieve: Fix bug where show_real_foldernames setting wasn't
       respected (#6422)
     * New_user_identity: Fix %fu/%u vars substitution in user specific LDAP
       params (#6419)
     * Fix support for "allow-from " in "x_frame_options" config option
       (#6449)
     * Fix bug where valid content between HTML comments could have been
       skipped in some cases (#6464)
     * Fix multiple VCard field search (#6466)
     * Fix session issue on long running requests (#6470)

   From 1.3.7 (boo#1115719)

     * Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems
       without php-intl (#6244)
     * Fix bug where some parts of quota information could have been ignored
       (#6280)
     * Fix bug where some escape sequences in html styles could bypass
       security checks
     * Fix bug where some forbidden characters on Cyrus-IMAP were not
       prevented from use in folder names
     * Fix bug where only attachments with the same name would be ignored on
       zip download (#6301)
     * Fix bug where unicode contact names could have been broken/emptied or
       caused DB errors (#6299)
     * Fix bug where after "mark all folders as read" action message counters       were not reset (#6307)
     * Enigma: [EFAIL] Don't decrypt PGP messages with no MDC protection
       (#6289)
     * Fix bug where some HTML comments could have been malformed by HTML
       parser (#6333)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.2:

      zypper in -t patch openSUSE-2020-1516=1

   - openSUSE Leap 15.1:

      zypper in -t patch openSUSE-2020-1516=1

   - openSUSE Backports SLE-15-SP2:

      zypper in -t patch openSUSE-2020-1516=1

   - openSUSE Backports SLE-15-SP1:

      zypper in -t patch openSUSE-2020-1516=1



Package List:

   - openSUSE Leap 15.2 (noarch):

      roundcubemail-1.3.15-lp152.4.3.1

   - openSUSE Leap 15.1 (noarch):

      roundcubemail-1.3.15-lp151.3.3.1

   - openSUSE Backports SLE-15-SP2 (noarch):

      roundcubemail-1.3.15-bp152.4.3.1

   - openSUSE Backports SLE-15-SP1 (noarch):

      roundcubemail-1.3.15-bp151.4.3.1


References:

   https://www.suse.com/security/cve/CVE-2019-10740.html
   https://www.suse.com/security/cve/CVE-2020-12625.html
   https://www.suse.com/security/cve/CVE-2020-12640.html
   https://www.suse.com/security/cve/CVE-2020-12641.html
   https://www.suse.com/security/cve/CVE-2020-15562.html
   https://www.suse.com/security/cve/CVE-2020-16145.html
   https://bugzilla.suse.com/1115718
   https://bugzilla.suse.com/1115719
   https://bugzilla.suse.com/1146286
   https://bugzilla.suse.com/1171040
   https://bugzilla.suse.com/1171148
   https://bugzilla.suse.com/1171149
   https://bugzilla.suse.com/1173792
   https://bugzilla.suse.com/1175135

--

openSUSE: 2020:1516-1: moderate: roundcubemail

September 24, 2020

An update that solves 6 vulnerabilities and has two fixes is now available.

Description

This update for roundcubemail fixes the following issues: roundcubemail was upgraded to 1.3.15 This is a security update to the LTS version 1.3. (boo#1175135) * Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145] * Security: Fix cross-site scripting (XSS) via HTML messages with malicious math content From 1.3.14 (boo#1173792 -> CVE-2020-15562) * Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace From 1.3.13 * Installer: Fix regression in SMTP test section (#7417) From 1.3.12 * Security: Better fix for CVE-2020-12641 (boo#1171148) * Security: Fix XSS issue in template object 'username' (#7406) * Security: Fix couple of XSS issues in Installer (#7406) * Security: Fix cross-site scripting (XSS) via malicious XML attachment From 1.3.11 (boo#1171148 -> CVE-2020-12641 boo#1171040 -> CVE-2020-12625 boo#1171149 -> CVE-2020-12640) * Enigma: Fix compatibility with Mail_Mime >= 1.10.5 * Fix permissions on some folders created by bin/install-jsdeps.sh script (#6930) * Fix bug where inline images could have been ignored if Content-Id header contained redundant spaces (#6980) * Fix PHP Warning: Use of undefined constant LOG_EMERGE (#6991) * Fix PHP warning: "array_merge(): Expected parameter 2 to be an array, null given in sendmail.inc (#7003) * Security: Fix XSS issue in handling of CDATA in HTML messages * Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings * Security: Fix local file inclusion (and code execution) via crafted 'plugins' option * Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302) From 1.3.10 (boo#1146286) * Managesieve: Fix so "Create filter" option does not show up when Filters menu is disabled (#6723) * Enigma: Fix bug where revoked users/keys were not greyed out in key info * Enigma: Fix error message when trying to encrypt with a revoked key (#6607) * Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638) * Fix compatibility with kolab/net_ldap3 > 1.0.7 (#6785) * Fix bug where bmp images couldn't be displayed on some systems (#6728) * Fix bug in parsing vCard data using PHP 7.3 due to an invalid regexp (#6744) * Fix bug where bold/strong text was converted to upper-case on html-to-text conversion (6758) * Fix bug in rcube_utils::parse_hosts() where %t, %d, %z could return only tld (#6746) * Fix bug where Next/Prev button in mail view didn't work with multi-folder search result (#6793) * Fix bug where selection of columns on messages list wasn't working * Fix bug in converting multi-page Tiff images to Jpeg (#6824) * Fix wrong messages order after returning to a multi-folder search result (#6836) * Fix PHP 7.4 deprecation: implode() wrong parameter order (#6866) * Fix bug where it was possible to bypass the position:fixed CSS check in received messages (#6898) * Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899) * Fix bug where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class (#6897) * Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (#6896) From 1.3.9 (boo#1115718) * Fix TinyMCE download location (#6694) * Fix bug where a message/rfc822 part without a filename wasn't listed on the attachments list (#6494) * Fix handling of empty entries in vCard import (#6564) * Fix bug in parsing some IMAP command responses that include unsolicited replies (#6577) * Fix PHP 7.2 compatibility in debug_logger plugin (#6586) * Fix so ANY record is not used for email domain validation, use A, MX, CNAME, AAAA instead (#6581) * Fix so mime_content_type check in Installer uses files that should always be available (i.e. from program/resources) (#6599) * Fix missing CSRF token on a link to download too-big message part (#6621) * Fix bug when aborting dragging with ESC key didn't stop the move action (#6623) * Fix bug where next row wasn't selected after deleting a collapsed thread (#6655) From 1.3.8 * Fix PHP warnings on dummy QUOTA responses in Courier-IMAP 4.17.1 (#6374) * Fix so fallback from BINARY to BODY FETCH is used also on [PARSE] errors in dovecot 2.3 (#6383) * Enigma: Fix deleting keys with authentication subkeys (#6381) * Fix invalid regular expressions that throw warnings on PHP 7.3 (#6398) * Fix so Classic skin splitter does not escape out of window (#6397) * Fix XSS issue in handling invalid style tag content (#6410) * Fix compatibility with MySQL 8 - error on 'system' table use * Managesieve: Fix bug where show_real_foldernames setting wasn't respected (#6422) * New_user_identity: Fix %fu/%u vars substitution in user specific LDAP params (#6419) * Fix support for "allow-from " in "x_frame_options" config option (#6449) * Fix bug where valid content between HTML comments could have been skipped in some cases (#6464) * Fix multiple VCard field search (#6466) * Fix session issue on long running requests (#6470) From 1.3.7 (boo#1115719) * Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems without php-intl (#6244) * Fix bug where some parts of quota information could have been ignored (#6280) * Fix bug where some escape sequences in html styles could bypass security checks * Fix bug where some forbidden characters on Cyrus-IMAP were not prevented from use in folder names * Fix bug where only attachments with the same name would be ignored on zip download (#6301) * Fix bug where unicode contact names could have been broken/emptied or caused DB errors (#6299) * Fix bug where after "mark all folders as read" action message counters were not reset (#6307) * Enigma: [EFAIL] Don't decrypt PGP messages with no MDC protection (#6289) * Fix bug where some HTML comments could have been malformed by HTML parser (#6333)

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-1516=1 - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-1516=1 - openSUSE Backports SLE-15-SP2: zypper in -t patch openSUSE-2020-1516=1 - openSUSE Backports SLE-15-SP1: zypper in -t patch openSUSE-2020-1516=1

Package List

- openSUSE Leap 15.2 (noarch): roundcubemail-1.3.15-lp152.4.3.1 - openSUSE Leap 15.1 (noarch): roundcubemail-1.3.15-lp151.3.3.1 - openSUSE Backports SLE-15-SP2 (noarch): roundcubemail-1.3.15-bp152.4.3.1 - openSUSE Backports SLE-15-SP1 (noarch): roundcubemail-1.3.15-bp151.4.3.1

References

https://www.suse.com/security/cve/CVE-2019-10740.html https://www.suse.com/security/cve/CVE-2020-12625.html https://www.suse.com/security/cve/CVE-2020-12640.html https://www.suse.com/security/cve/CVE-2020-12641.html https://www.suse.com/security/cve/CVE-2020-15562.html https://www.suse.com/security/cve/CVE-2020-16145.html https://bugzilla.suse.com/1115718 https://bugzilla.suse.com/1115719 https://bugzilla.suse.com/1146286 https://bugzilla.suse.com/1171040 https://bugzilla.suse.com/1171148 https://bugzilla.suse.com/1171149 https://bugzilla.suse.com/1173792 https://bugzilla.suse.com/1175135--