Security update for roundcubemail SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:1904-1 Final 1 1 2015-10-27T11:58:17Z current 2015-10-27T11:58:17Z 2015-10-27T11:58:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for roundcubemail roundcubemail was updated to version 1.0.7 to fix two security issues. These security issues were fixed: - XSS issue in drag-n-drop file uploads - Disallow unwanted access on files in the file system. The apache2 configuration file for roundcubemail allowed access to the roundcubemail/bin folder and possibly /logs, /config and /temp, if these were not symlinks (this was only the case when the configuration was manually changed) (bsc#952006) The package comes with a fixed configuration. If you modified the file '/etc/apache2/conf.d/roundcubemail.conf', please replace it with the configuration 'roundcubemail.conf.rpmnew' and reapply your changes. After that, a restart of apache2 is requried. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2015-11/msg00030.html E-Mail link for openSUSE-SU-2015:1904-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings roundcubemail-1.0.7-2.24.1