Security update for roundcubemail SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:3038-1 Final 1 1 2016-12-07T10:26:00Z current 2016-12-07T10:26:00Z 2016-12-07T10:26:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for roundcubemail roundcubemail was updated to version 1.1.7 and fixes the following issues: - Update to 1.1.7 * A maliciously crafted FROM value could cause extra parameters to be passed to the sendmail command (boo#1012493) * A maliciously crafted email could cause untrusted code to be executed (cross site scripting using $lt;area href=javascript:...>) (boo#982003, CVE-2016-5103) * Avoid HTML styles that could cause potential click jacking (boo#1001856) - Update to 1.1.5 * Fixed security issue in DBMail driver of password plugin (CVE-2015-2181, boo#976988) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00018.html E-Mail link for openSUSE-SU-2016:3038-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 openSUSE Leap 42.2 roundcubemail-1.1.7-15.1 roundcubemail-1.1.7-15.1 as a component of openSUSE Leap 42.1 roundcubemail-1.1.7-15.1 as a component of openSUSE Leap 42.2 Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username. CVE-2015-2181 openSUSE Leap 42.1:roundcubemail-1.1.7-15.1 openSUSE Leap 42.2:roundcubemail-1.1.7-15.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00018.html https://www.suse.com/security/cve/CVE-2015-2181.html CVE-2015-2181 https://bugzilla.suse.com/976988 SUSE Bug 976988 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-4552. Reason: This candidate is a reservation duplicate of CVE-2016-4552. Notes: All CVE users should reference CVE-2016-4552 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2016-5103 openSUSE Leap 42.1:roundcubemail-1.1.7-15.1 openSUSE Leap 42.2:roundcubemail-1.1.7-15.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00018.html https://www.suse.com/security/cve/CVE-2016-5103.html CVE-2016-5103 https://bugzilla.suse.com/1016744 SUSE Bug 1016744 https://bugzilla.suse.com/982003 SUSE Bug 982003 https://bugzilla.suse.com/982703 SUSE Bug 982703