[go: up one dir, main page]
Bug 982003 (CVE-2016-5103) - VUL-0: CVE-2016-5103: roundcube: XSS vulnerability in mail content page
Summary: VUL-0: CVE-2016-5103: roundcube: XSS vulnerability in mail content page
Status: RESOLVED FIXED
: CVE-2016-4552 (view as bug list)
Alias: CVE-2016-5103
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 42.1
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-27 12:23 UTC by Alexander Bergmann
Modified: 2016-12-31 02:07 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-05-27 12:23:49 UTC 
rh#1339654

A 1.2.0 release of roundcubemail fixed an XSS vulnerability in href attribute on area tag.

External references:

https://github.com/roundcube/roundcubemail/issues/5240

Upstream fix:

https://github.com/roundcube/roundcubemail/pull/5241

CVE assignment:

http://seclists.org/oss-sec/2016/q2/414

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1339654
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5103
http://seclists.org/oss-sec/2016/q2/414
Comment 2 Swamp Workflow Management 2016-05-27 22:00:15 UTC 
bugbot adjusting priority
Comment 3 Forgotten User QYY8Uge2QR 2016-11-29 12:49:55 UTC 
server:php:applications       -> fixed with update to 1.2.0 (May 24th)

openSUSE:Tumbleweed (Factory) -> fixed with update to 1.2.0 (May 24th)

openSUSE:Leap:42.1            -> fixed with update to 1.1.6 (Oct 5th)

openSUSE:13.2                 -> *pending update* with patches for 1.0.9
  MR#442694 (https://build.opensuse.org/request/show/442694)

openSUSE:13.1 (Evergreen)     -> *pending update* with patches for 1.0.9
  MR#442693 (https://build.opensuse.org/request/show/442693)
Comment 4 Johannes Segitz 2016-11-30 12:18:40 UTC 
thanks for the submits. No need to needinfo us, we see the submits in our incoming queue. Just assign the bug to us once your done here
Comment 5 Bernhard Wiedemann 2016-11-30 21:00:37 UTC 
This is an autogenerated message for OBS integration:
This bug (982003) was mentioned in
https://build.opensuse.org/request/show/442941 13.1 / roundcubemail
Comment 6 Swamp Workflow Management 2016-12-07 14:07:55 UTC 
openSUSE-SU-2016:3032-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1001856,1012493,982003
CVE References: CVE-2016-5103
Sources used:
openSUSE 13.2 (src):    roundcubemail-1.0.9-23.1
Comment 7 Swamp Workflow Management 2016-12-07 14:12:26 UTC 
openSUSE-SU-2016:3038-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001856,1012493,976988,982003
CVE References: CVE-2015-2181,CVE-2016-5103
Sources used:
openSUSE Leap 42.2 (src):    roundcubemail-1.1.7-15.1
openSUSE Leap 42.1 (src):    roundcubemail-1.1.7-15.1
Comment 8 Marcus Meissner 2016-12-09 08:01:16 UTC 
re;leased
Comment 9 Forgotten User QYY8Uge2QR 2016-12-23 11:35:49 UTC 
*** Bug 1016744 has been marked as a duplicate of this bug. ***
Comment 11 Swamp Workflow Management 2016-12-31 02:07:54 UTC 
openSUSE-SU-2016:3309-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1001856,1012493,982003
CVE References: CVE-2016-5103
Sources used:
openSUSE 13.1 (src):    roundcubemail-1.0.9-2.36.1