-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 06 Aug 2024 16:02:54 +0200 Source: roundcube Architecture: source Version: 1.6.5+dfsg-1+deb12u3 Distribution: bookworm-security Urgency: high Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net> Changed-By: Guilhem Moulin <guilhem@debian.org> Closes: 1077969 Changes: roundcube (1.6.5+dfsg-1+deb12u3) bookworm-security; urgency=high . * Cherry pick upstream security fixes from v1.6.8 (closes: #1077969): + CVE-2024-42008: Cross-site scripting (XSS) vulnerability in serving of attachments other than HTML or SVG. + CVE-2024-42009: Cross-site scripting (XSS) vulnerability in post-processing of sanitized HTML content. + CVE-2024-42010: Fix information leak (access to remote content) via insufficient CSS filtering. * Cherry pick further upstream changes from v1.6.8: + Fix fatal error when parsing some TNEF attachments. + Fix bug where an unhandled exception was caused by an invalid image attachment. + Fix infinite loop when parsing malformed Sieve script. + Fix bug where imap_conn_option's 'socket' was ignored. Checksums-Sha1: 745d8202211278dff06f4206d06f9a62e1929c8a 3833 roundcube_1.6.5+dfsg-1+deb12u3.dsc ab7db7a6805b1892ece174c3ea011df9c0c607ca 119360 roundcube_1.6.5+dfsg-1+deb12u3.debian.tar.xz fc151fed1d0261a1d752380fc32aa35acc6b6dff 14215 roundcube_1.6.5+dfsg-1+deb12u3_amd64.buildinfo Checksums-Sha256: 05dc579c8ae58dcde33c90501eada1b259ce5faefa2357cdf1cdb6a8d51a946f 3833 roundcube_1.6.5+dfsg-1+deb12u3.dsc e8a60d68e4def4ce034aca3dc3fd59f67185a98f408329155565985e7d638e6f 119360 roundcube_1.6.5+dfsg-1+deb12u3.debian.tar.xz 29acd0c922ffde454739088d88f13a17fadb48a200a341bab0e1f7ccd784f44e 14215 roundcube_1.6.5+dfsg-1+deb12u3_amd64.buildinfo Files: 061ad7c1808273d438dfc7f77d953135 3833 web optional roundcube_1.6.5+dfsg-1+deb12u3.dsc db41a1315aea78b3c2300192b7e878cd 119360 web optional roundcube_1.6.5+dfsg-1+deb12u3.debian.tar.xz d2ae2bb5c4b6ba9788a72de5d92f4a3e 14215 web optional roundcube_1.6.5+dfsg-1+deb12u3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmayLsAACgkQ05pJnDwh pVL2mxAAt+6z7rXfuNSOjklv29W+cssixDgpne+QqWuFVFKKTYAsVZ7AvcXSb1uf p+H01ZCW+GVLz0Z+ms1v+xqOlkVbxAVrhmnOrSOwbrlAEGjJG+limoLXm0ySi2fF /OHsMXQpMwz+tMBvXj6RM25FzTeI8T015DHhIrDhIl/bgaa0pfeQV1VPmLSpTro4 zCsl36V9AneX2c8AH8jN4iwj7ZzVOjaCqwyauZBIJ+JCnJoCP+NadQqLYLrhM2yG F5Q3ouEROtallIGdmq/c9S5d/WwCshpjUu0s23xGo+ACrdMKPIIqHxS5TXmKMyvM 7sbEgL1QzKAAmA2SSr3K4yG5xNy9T4BRHcOQLgyv7BG01W2SB9fTIn2YhrmFaMXh Cx9sUYHxZsI2Kx8ip1O7/KXTbfS6pJjVKcOO7gJYvvKdBYtVR+G8WqRxLI5u0vgw YN87Z59M+kQGiBMeCTCh2vf3HB7sPWqKcQDQz0bfZv/VdAsF6XYI7r/Lgi5ps/jZ 773CnvpVil4Wv3zskQAZVbhmpt99VMnkEyzCVk04kWruMQAcagGM+cqoswTqT5Ge OA+5SAKGkKo1vkX5to6zCIjhs8lkpCki89fSM1ZqRcjw+6qiw5qgBUZpqPoi+sMn L1b0Tdy7I7kp45heZnE2ZXqsbEBIl31yiyk4EKknbcktEIRq0c0= =Oro8 -----END PGP SIGNATURE-----