{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for roundcubemail","title":"Title of the patch"},{"category":"description","text":"This update for roundcubemail fixes the following issues:\n\nUpdate to 1.6.3 (boo#1215433)\n\n* Fix bug where installto.sh/update.sh scripts were removing some\n  essential options from the config file (#9051)\n* Update jQuery-UI to version 1.13.2 (#9041)\n* Fix regression that broke use_secure_urls feature (#9052)\n* Fix potential PHP fatal error when opening a message with\n  message/rfc822 part (#8953)\n* Fix bug where a duplicate <title> tag in HTML email could cause some\n  parts being cut off (#9029)\n* Fix bug where a list of folders could have been sorted\n  incorrectly (#9057)\n* Fix regression where LDAP addressbook 'filter' option was\n  ignored (#9061)\n* Fix wrong order of a multi-folder search result when sorting by\n  size (#9065)\n* Fix so install/update scripts do not require PEAR (#9037)\n* Fix regression where some mail parts could have been decoded\n  incorrectly, or not at all (#9096)\n* Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to\n  non-binary FETCH (#9097)\n* Fix PHP8 deprecation warning in the reconnect plugin (#9083)\n* Fix 'Show source' on mobile with x_frame_options = deny (#9084)\n* Fix various PHP warnings (#9098)\n* Fix deprecated use of ldap_connect() in password's ldap_simple driver (#9060)\n* Fix cross-site scripting (XSS) vulnerability in handling of linkrefs\n  in plain text messages\n\nUpdate to 1.6.2\n\n* Add Uyghur localization\n* Fix regression in OAuth request URI caused by use of REQUEST_URI\n  instead of SCRIPT_NAME as a default (#8878)\n* Fix bug where false attachment reminder was displayed on HTML mail\n  with inline images (#8885)\n* Fix bug where a non-ASCII character in app.js could cause error in\n  javascript engine (#8894)\n* Fix JWT decoding with url safe base64 schema (#8890)\n* Fix bug where .wav instead of .mp3 file was used for the new mail\n  notification in Firefox (#8895)\n* Fix PHP8 warning (#8891)\n* Fix support for Windows-31J charset (#8869)\n* Fix so LDAP VLV option is disabled by default as documented (#8833)\n* Fix so an email address with name is supported as input to the managesieve\n  notify :from parameter (#8918)\n* Fix Help plugin menu (#8898)\n* Fix invalid onclick handler on the logo image when using non-array\n  skin_logo setting (#8933)\n* Fix duplicate recipients in 'To' and 'Cc' on reply (#8912)\n* Fix bug where it wasn't possible to scroll lists by clicking middle\n  mouse button (#8942)\n* Fix bug where label text in a single-input dialog could be partially\n  invisible in some locales (#8905)\n* Fix bug where LDAP (fulltext) search didn't work without 'search_fields'\n  in config (#8874)\n* Fix extra leading newlines in plain text converted from HTML (#8973)\n* Fix so recipients with a domain ending with .s are allowed (#8854)\n* Fix so vCard output does not contain non-standard/redundant TYPE=OTHER\n  and TYPE=INTERNET (#8838)\n* Fix QR code images for contacts with non-ASCII characters (#9001)\n* Fix PHP8 warnings when using list_flags and list_cols properties by\n  plugins (#8998)\n* Fix bug where subfolders could loose subscription on parent folder\n  rename (#8892)\n* Fix connecting to LDAP using an URI with ldapi:// scheme (#8990)\n* Fix insecure shell command params handling in cmd_learn driver of markasjunk\n  plugin (#9005)\n* Fix bug where some mail headers didn't work in cmd_learn driver of markasjunk\n  plugin (#9005)\n* Fix PHP fatal error when importing vcf file using PHP 8.2 (#9025)\n* Fix so output of log_date_format with microseconds contains time in server\n  time zone, not UTC\n","title":"Description of the patch"},{"category":"details","text":"openSUSE-2023-285","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2023_0285-1.json"},{"category":"self","summary":"URL for openSUSE-SU-2023:0285-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FES4IKTZTYNBS3TCVPNOFHD7POSFJHYY/"},{"category":"self","summary":"E-Mail link for openSUSE-SU-2023:0285-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FES4IKTZTYNBS3TCVPNOFHD7POSFJHYY/"},{"category":"self","summary":"SUSE Bug 1215433","url":"https://bugzilla.suse.com/1215433"}],"title":"Security update for roundcubemail","tracking":{"current_release_date":"2023-10-02T10:01:50Z","generator":{"date":"2023-10-02T10:01:50Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"openSUSE-SU-2023:0285-1","initial_release_date":"2023-10-02T10:01:50Z","revision_history":[{"date":"2023-10-02T10:01:50Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"roundcubemail-1.6.3-bp155.2.3.1.noarch","product":{"name":"roundcubemail-1.6.3-bp155.2.3.1.noarch","product_id":"roundcubemail-1.6.3-bp155.2.3.1.noarch"}}],"category":"architecture","name":"noarch"},{"branches":[{"category":"product_name","name":"SUSE Package Hub 15 SP5","product":{"name":"SUSE Package Hub 15 SP5","product_id":"SUSE Package Hub 15 SP5"}},{"category":"product_name","name":"openSUSE Leap 15.5","product":{"name":"openSUSE Leap 15.5","product_id":"openSUSE Leap 15.5","product_identification_helper":{"cpe":"cpe:/o:opensuse:leap:15.5"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"roundcubemail-1.6.3-bp155.2.3.1.noarch as component of SUSE Package Hub 15 SP5","product_id":"SUSE Package Hub 15 SP5:roundcubemail-1.6.3-bp155.2.3.1.noarch"},"product_reference":"roundcubemail-1.6.3-bp155.2.3.1.noarch","relates_to_product_reference":"SUSE Package Hub 15 SP5"},{"category":"default_component_of","full_product_name":{"name":"roundcubemail-1.6.3-bp155.2.3.1.noarch as component of openSUSE Leap 15.5","product_id":"openSUSE Leap 15.5:roundcubemail-1.6.3-bp155.2.3.1.noarch"},"product_reference":"roundcubemail-1.6.3-bp155.2.3.1.noarch","relates_to_product_reference":"openSUSE Leap 15.5"}]}}