oss-security - CVE Request: Roundcube: XSS issue in SVG image handling and protection for download urs against CSRF

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Sat, 23 Apr 2016 17:03:50 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: CVE Request: Roundcube: XSS issue in SVG image handling and
 protection for download urs against CSRF

Hi

Roundcube recently released new versions:

https://github.com/roundcube/roundcubemail/wiki/Changelog

There are at least the following two fixes:

Fix XSS issue in SVG images handling (#4949):
---------------------------------------------

Upstream issue:
  https://github.com/roundcube/roundcubemail/issues/4949

Fix for master branch:
  https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18

Fix for 1.1 branch:
  https://github.com/roundcube/roundcubemail/commit/7bbefdb63b12e2344cf1cb87aeb6e3933b4063e0

Protect download urls against CSRF using unique request tokens (#4957):
-----------------------------------------------------------------------

Upstrema issue:
  https://github.com/roundcube/roundcubemail/issues/4957

Fix for master branch:
  https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5

Fix for the 1.1 brach:
  https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53

Could you assign CVEs for those issues?

Regards,
Salvatore

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.