-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 08 Aug 2024 23:48:56 +0200 Source: roundcube Architecture: source Version: 1.4.15+dfsg.1-1+deb11u4 Distribution: bullseye-security Urgency: high Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net> Changed-By: Guilhem Moulin <guilhem@debian.org> Closes: 1077969 Changes: roundcube (1.4.15+dfsg.1-1+deb11u4) bullseye-security; urgency=high . * Fix CVE-2024-42008: Cross-site scripting (XSS) vulnerability in serving of attachments other than HTML or SVG. * Fix CVE-2024-42009: Cross-site scripting (XSS) vulnerability in post-processing of sanitized HTML content. (Closes: #1077969) * Fix CVE-2024-42010: Information leak (access to remote content) via insufficient CSS filtering. * Backport upstream fix for infinite loop when parsing malformed Sieve script. Checksums-Sha1: b1c02113680293fd3574e9271687a8aa5e881e13 3276 roundcube_1.4.15+dfsg.1-1+deb11u4.dsc 85e881df2b3d93da3081c588eeeb752880ce8da4 109876 roundcube_1.4.15+dfsg.1-1+deb11u4.debian.tar.xz d37902dc53bd9b9c0dc1c335e5a29c7d68818b54 10857 roundcube_1.4.15+dfsg.1-1+deb11u4_amd64.buildinfo Checksums-Sha256: 9ad8f09e42c6cbfa0cc8dc3b4338c4a70b85fa7a35a19801c12e490ff0c8f6a8 3276 roundcube_1.4.15+dfsg.1-1+deb11u4.dsc eeca2d679fe36aa08ff9099dcc33cb2ccf1ce2f2880f8f351ed5697a71fabeb6 109876 roundcube_1.4.15+dfsg.1-1+deb11u4.debian.tar.xz d57903b078e666179fc5452f23f1b117ae9ad0d14456a43beec462455165eb49 10857 roundcube_1.4.15+dfsg.1-1+deb11u4_amd64.buildinfo Files: c679031b681d45f6439cc8f054f07127 3276 web optional roundcube_1.4.15+dfsg.1-1+deb11u4.dsc 68c1d74d0406df79b80c4207f961bd98 109876 web optional roundcube_1.4.15+dfsg.1-1+deb11u4.debian.tar.xz cfa7811aca3fef6d28589048ff7369c6 10857 web optional roundcube_1.4.15+dfsg.1-1+deb11u4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAma33QsACgkQ05pJnDwh pVJGYQ/8CmLFYito5UrsYR/E0oAxfIfvr/zFD/HWaWa5DpYOGwmUfEr42bXQJ9aB QOPZhJIpyvESU2tbec0dlUdxB6MlVXge1Oe/JWAD/nMCwarVzWvwAyuRimoV8BLX sBgK0LT8ETxZKywTEgDIf/GLRM1O/yD85p8CLypHzhq26lgMI96tw5QJP1MGNeEq KTAMI+WqKlbKkdXKq6n/QRVK2jkzhmIUr4fVkgTUz4vXltdjbl2heh4kyyFZFtZv Bs7VaHMVnFBH4abjPphiNkqPIwvITvvedyEWGIIkM+jIh166NDz8aYc2doNERNbO 2mR/E+P1e0D+vF134zc/XCnLVZhhQqopTpjCCPNvCHLaEVl2WGUYvaoLNDGqXZUd 5UcsIZHmq945EFsKx9CFP/0iN2utDw6QDK+GG0XeVptxDByfJr6WNAca9e9p92am b6vcFTR5OgxU0BmDGYwy0ZWfpFzGkjIvOP25gUEZ83ltauT3PvEUNxAE4NPP+YO9 fmFbc66wxhESiPpz6JzjXl8jcfhA8Wu+D3cotX5FZujER4QkNZ4FAgR2Xw3fCDET yyQoJtSQJA1sl7DFS3PATlgF3HSsosbZ+BLVlgzDC0fa/z3E3+uhey2Ky3+ZsbYq +WmhbJjoOOuMBQS1w6b7lXAHE8YIQolT6tARfZvF945xN4yv7Lo= =0fNh -----END PGP SIGNATURE-----