openSUSE Security Update : roundcubemail (openSUSE-SU-2013:1420-1)

This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

roundcubemail was updated to version 0.9.3 (bnc#837436)
(CVE-2013-5645)

- Optimized UI behavior for touch devices

- Fix setting refresh_interval to 'Never' in Preferences

- Fix purge action in folder manager

- Fix base URL resolving on attribute values with no
quotes

- Fix wrong handling of links with '|' character

- Fix colorspace issue on image conversion using
ImageMagick?

- Fix XSS vulnerability when saving HTML signatures

- Fix XSS vulnerability when editing a message 'as new' or
draft

- Fix rewrite rule in .htaccess

- Fix detecting Turkish language in ISO-8859-9 encoding

- Fix identity-selection using Return-Path headers

- Fix parsing of links with ... in URL

- Fix compose priority selector when opening in new window

- Fix bug where signature wasn't changed on identity
selection when editing a draft

- Fix IMAP SETMETADATA parameters quoting

- Fix 'could not load message' error on valid empty
message body

- Fix handling of message/rfc822 attachments on message
forward and edit

- Fix parsing of square bracket characters in IMAP
response strings

- Don't clear References and in-Reply-To when a message is
'edited as new'

- Fix messages list sorting with THREAD=REFS

- Remove deprecated (in PHP 5.5) PREG /e modifier usage

- Fix empty messages list when register_globals is enabled

- Fix so valid and set date.timezone is not required by
installer checks

- Canonize boolean ini_get() results

- Fix so install do not fail when one of DB driver checks
fails but other drivers exist

- Fix so exported vCard specifies encoding in
v3-compatible format

- Update to version 0.9.2

- Fix image thumbnails display in print mode

- Fix height of message headers block

- Fix timeout issue on drag&drop uploads

- Fix default sorting of threaded list when THREAD=REFS
isn't supported

- Fix list mode switch to 'List' after saving list
settings in Larry skin

- Fix error when there's no writeable addressbook source

- Fix zipdownload plugin issue with filenames charset

- Fix so non-inline images aren't skipped on forward

- Fix 'null' instead of empty string on messages list in
IE10

- Fix legacy options handling

- Fix so bounces addresses in Sender headers are skipped
on Reply-All

- Fix bug where serialized strings were truncated in
PDO::quote()

- Fix displaying messages with invalid self-closing HTML
tags

- Fix PHP warning when responding to a message with many
Return-Path headers

- Fix unintentional compose window resize

- Fix performance regression in text wrapping function

- Fix connection to posgtres db using unix socket

- Fix handling of comma when adding contact from contacts
widget

- Fix bug where a message was opened in both preview pane
and new window on double-click

- Fix fatal error when xdebug.max_nesting_level was
exceeded in rcube_washtml

- Fix PHP warning in html_table::set_row_attribs() in PHP
5.4

- Fix invalid option selected in default_font selector
when font is unset

- Fix displaying contact with ID divisible by 100 in sql
addressbook

- Fix browser warnings on PDF plugin detection

- Fix fatal error when parsing UUencoded messages

- Update to version 0.9.1

- a lot of bugfixes and smaller improvements
(http://trac.roundcube.net/wiki/Changelog)

- Update to version 0.9.0

- Improved rendering of forwarded and attached messages

- Optionally display and compose email messages a new
windows

- Unified UI for message view and composition

- Show sender photos from contacts in email view

- Render thumbnails for image attachments

- Download all attachments as zip archive (using the
zipdownload plugin)

- Forward multiple emails as attachments

- CSV import for contacts

See also :

http://lists.opensuse.org/opensuse-updates/2013-09/msg00018.html
http://trac.roundcube.net/wiki/Changelog
https://bugzilla.novell.com/show_bug.cgi?id=803091
https://bugzilla.novell.com/show_bug.cgi?id=837436

Solution :

Update the affected roundcubemail package.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: SuSE Local Security Checks

Nessus Plugin ID: 75132 ()

Bugtraq ID: 57849
61976

CVE ID: CVE-2012-6121
CVE-2013-5645

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now