oss-sec mailing list archives
CVE Request: Roundcube: XSS issue in SVG image handling and protection for download urs against CSRF
From: Salvatore Bonaccorso <carnil () debian org>
Date: Sat, 23 Apr 2016 17:03:50 +0200
Hi Roundcube recently released new versions: https://github.com/roundcube/roundcubemail/wiki/Changelog There are at least the following two fixes: Fix XSS issue in SVG images handling (#4949): --------------------------------------------- Upstream issue: https://github.com/roundcube/roundcubemail/issues/4949 Fix for master branch: https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18 Fix for 1.1 branch: https://github.com/roundcube/roundcubemail/commit/7bbefdb63b12e2344cf1cb87aeb6e3933b4063e0 Protect download urls against CSRF using unique request tokens (#4957): ----------------------------------------------------------------------- Upstrema issue: https://github.com/roundcube/roundcubemail/issues/4957 Fix for master branch: https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5 Fix for the 1.1 brach: https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53 Could you assign CVEs for those issues? Regards, Salvatore
Current thread:
- CVE Request: Roundcube: XSS issue in SVG image handling and protection for download urs against CSRF Salvatore Bonaccorso (Apr 23)