Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 23 Apr 2016 17:03:50 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: CVE Request: Roundcube: XSS issue in SVG image handling and
 protection for download urs against CSRF

Hi

Roundcube recently released new versions:

https://github.com/roundcube/roundcubemail/wiki/Changelog

There are at least the following two fixes:

Fix XSS issue in SVG images handling (#4949):
---------------------------------------------

Upstream issue:
  https://github.com/roundcube/roundcubemail/issues/4949

Fix for master branch:
  https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18

Fix for 1.1 branch:
  https://github.com/roundcube/roundcubemail/commit/7bbefdb63b12e2344cf1cb87aeb6e3933b4063e0

Protect download urls against CSRF using unique request tokens (#4957):
-----------------------------------------------------------------------

Upstrema issue:
  https://github.com/roundcube/roundcubemail/issues/4957

Fix for master branch:
  https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5

Fix for the 1.1 brach:
  https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53

Could you assign CVEs for those issues?

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ