[security-announce] openSUSE-SU-2016:0214-1: important: Security update for roundcubemail

[news 28]

openSUSE Security Update: Security update for roundcubemail

______________________________________________________________________________

 

Announcement ID: openSUSE-SU-2016:0214-1

Rating: important

References: #962067

Cross-References: CVE-2015-8770

Affected Products:

openSUSE 13.1

______________________________________________________________________________

 

An update that fixes one vulnerability is now available.

 

Description:

 

Update to 1.0.8

- Add workaround for https://bugs.php.net/bug.php?id=70757 (#1490582)

- Fix HTML sanitizer to skip <!-- node type X --> in output

(#1490583)

- Fix charset encoding of message/rfc822 part bodies (#1490606)

- Fix handling of message/rfc822 attachments on replies and forwards

(#1490607)

- Fix PDF support detection in Firefox > 19 (#1490610)

- Fix path traversal vulnerability (CWE-22) in setting a skin (#1490620)

[CVE-2015-8770] [bnc#962067]

- Fix so drag-n-drop of text (e.g. recipient addresses) on compose page

actually works (#1490619)

- Fix .htaccess rewrite rules to not block .well-known URIs (#1490615)

- Updated apache2 config

 

 

Patch Instructions:

 

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- openSUSE 13.1:

 

zypper in -t patch 2016-84=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- openSUSE 13.1 (noarch):

 

roundcubemail-1.0.8-2.27.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2015-8770.html

https://bugzilla.suse.com/962067

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org