[RCU] Security updates 1.4.8, 1.3.15 and 1.2.12 released
Sophie Loewenthal
sophie at klunky.co.uk
Mon Aug 10 22:50:13 CEST 2020
Thank-you Thomas.
On 2020-08-10 21:50, Thomas Bruederli wrote:
> Dear subscribers
>
> We just published security updates to the stable version 1.4 and the
> LTS versions 1.3 and 1.2 of Roundcube Webmail.
> They all contain two recently reported cross-site scripting (XSS)
> vulnerabilities. The 1.4.8 release also contains a number of general
> improvements from our issue tracker [1].
>
> Security fixes:
> * Fix cross-site scripting (XSS) via HTML messages with malicious svg
> content (CVE-2020-16145)
> * Fix cross-site scripting (XSS) via HTML messages with malicious math
> content
>
> Credits for these two findings go to Łukasz Pilorz from Pentesters [2].
>
> See the full changelogs in the release notes on the Github download
> pages for the updated versions.
>
> We strongly recommend updating all productive installations of
> Roundcube
> with these new versions. Download the latest tarballs from
> https://roundcube.net/download
>
> Best,
> Alec & Thomas
>
> [1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.8
> [2] https://www.pentesters.pl/
> _______________________________________________
> Roundcube Users mailing list
> users at lists.roundcube.net
> http://lists.roundcube.net/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.roundcube.net/pipermail/users/attachments/20200810/b02009b4/attachment.html>
More information about the users
mailing list