[SECURITY] [DLA 2878-1] roundcube security update

2022-01-1215:39:17

lists.debian.org

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.4 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.6%

JSON

Debian LTS Advisory DLA-2878-1 [email protected]
https://www.debian.org/lts/security/ Guilhem Moulin
January 12, 2022 https://wiki.debian.org/LTS

Package : roundcube
Version : 1.2.3+dfsg.1-4+deb9u10
CVE ID : CVE-2021-46144
Debian Bug : 1003027

It was discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, did not properly sanitize HTML
messages. This would allow an attacker to perform Cross-Site Scripting
(XSS) attacks.

For Debian 9 stretch, this problem has been fixed in version
1.2.3+dfsg.1-4+deb9u10.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian9allroundcube-pgsql< 1.2.3+dfsg.1-4+deb9u10roundcube-pgsql_1.2.3+dfsg.1-4+deb9u10_all.deb
Debian11allroundcube-core< 1.4.13+dfsg.1-1~deb11u1roundcube-core_1.4.13+dfsg.1-1~deb11u1_all.deb
Debian11allroundcube< 1.4.13+dfsg.1-1~deb11u1roundcube_1.4.13+dfsg.1-1~deb11u1_all.deb
Debian11allroundcube-sqlite3< 1.4.13+dfsg.1-1~deb11u1roundcube-sqlite3_1.4.13+dfsg.1-1~deb11u1_all.deb
Debian11allroundcube-mysql< 1.4.13+dfsg.1-1~deb11u1roundcube-mysql_1.4.13+dfsg.1-1~deb11u1_all.deb
Debian9allroundcube-mysql< 1.2.3+dfsg.1-4+deb9u10roundcube-mysql_1.2.3+dfsg.1-4+deb9u10_all.deb
Debian10allroundcube-mysql< 1.3.17+dfsg.1-1~deb10u2roundcube-mysql_1.3.17+dfsg.1-1~deb10u2_all.deb
Debian10allroundcube< 1.3.17+dfsg.1-1~deb10u2roundcube_1.3.17+dfsg.1-1~deb10u2_all.deb
Debian9allroundcube-core< 1.2.3+dfsg.1-4+deb9u10roundcube-core_1.2.3+dfsg.1-4+deb9u10_all.deb
Debian10allroundcube-plugins< 1.3.17+dfsg.1-1~deb10u2roundcube-plugins_1.3.17+dfsg.1-1~deb10u2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	all	roundcube-pgsql	< 1.2.3+dfsg.1-4+deb9u10	roundcube-pgsql_1.2.3+dfsg.1-4+deb9u10_all.deb
Debian	11	all	roundcube-core	< 1.4.13+dfsg.1-1~deb11u1	roundcube-core_1.4.13+dfsg.1-1~deb11u1_all.deb
Debian	11	all	roundcube	< 1.4.13+dfsg.1-1~deb11u1	roundcube_1.4.13+dfsg.1-1~deb11u1_all.deb
Debian	11	all	roundcube-sqlite3	< 1.4.13+dfsg.1-1~deb11u1	roundcube-sqlite3_1.4.13+dfsg.1-1~deb11u1_all.deb
Debian	11	all	roundcube-mysql	< 1.4.13+dfsg.1-1~deb11u1	roundcube-mysql_1.4.13+dfsg.1-1~deb11u1_all.deb
Debian	9	all	roundcube-mysql	< 1.2.3+dfsg.1-4+deb9u10	roundcube-mysql_1.2.3+dfsg.1-4+deb9u10_all.deb
Debian	10	all	roundcube-mysql	< 1.3.17+dfsg.1-1~deb10u2	roundcube-mysql_1.3.17+dfsg.1-1~deb10u2_all.deb
Debian	10	all	roundcube	< 1.3.17+dfsg.1-1~deb10u2	roundcube_1.3.17+dfsg.1-1~deb10u2_all.deb
Debian	9	all	roundcube-core	< 1.2.3+dfsg.1-4+deb9u10	roundcube-core_1.2.3+dfsg.1-4+deb9u10_all.deb
Debian	10	all	roundcube-plugins	< 1.3.17+dfsg.1-1~deb10u2	roundcube-plugins_1.3.17+dfsg.1-1~deb10u2_all.deb