oss-sec mailing list archives

CVE Request: Roundcube: XSS issue in SVG image handling and protection for download urs against CSRF

From: Salvatore Bonaccorso <carnil () debian org>
Date: Sat, 23 Apr 2016 17:03:50 +0200

Hi

Roundcube recently released new versions:

https://github.com/roundcube/roundcubemail/wiki/Changelog

There are at least the following two fixes:

Fix XSS issue in SVG images handling (#4949):
---------------------------------------------

Upstream issue:
  https://github.com/roundcube/roundcubemail/issues/4949

Fix for master branch:
  https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18

Fix for 1.1 branch:
  https://github.com/roundcube/roundcubemail/commit/7bbefdb63b12e2344cf1cb87aeb6e3933b4063e0

Protect download urls against CSRF using unique request tokens (#4957):
-----------------------------------------------------------------------

Upstrema issue:
  https://github.com/roundcube/roundcubemail/issues/4957

Fix for master branch:
  https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5

Fix for the 1.1 brach:
  https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53

Could you assign CVEs for those issues?

Regards,
Salvatore

Current thread:

CVE Request: Roundcube: XSS issue in SVG image handling and protection for download urs against CSRF Salvatore Bonaccorso (Apr 23)
- Re: CVE Request: Roundcube: XSS issue in SVG image handling and protection for download urs against CSRF cve-assign (Apr 23)