Detections
Analytics

Fedora 30 : roundcubemail (2020-57f2df7424)

high Nessus Plugin ID 136436

Language:

Synopsis

The remote Fedora host is missing a security update.

Description

**Version 1.4.4**

This is a **service and security update** to the stable version 1.4 of Roundcube Webmail. It contains four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker.

- Fix bug where attachments with Content-Id were attached to the message on reply (#7122)

 - Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)

 - Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)

 - Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)

 - Elastic: Fix color of a folder with recent messages (#7281)

 - Elastic: Restrict logo size in print view (#7275)

 - Fix invalid Content-Type for messages with only html part and inline images - Mail_Mime-1.10.7 (#7261)

 - Fix missing contact display name in QR Code data (#7257)

 - Fix so button label in Select image/media dialogs is 'Close' not 'Cancel' (#7246)

 - Fix regression in testing database schema on MSSQL (#7227)

 - Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)

 - Fix string literals handling in IMAP STATUS (and various other) responses (#7290)

 - Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)

 - Fix handling keyservers configured with protocol prefix (#7295)

 - Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)

 - Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)

 - Fix so imap error message is displayed to the user on folder create/update (#7245)

 - Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)

 - Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)

 - Fix characters encoding in group rename input after group creation/rename (#7330)

 - Fix bug where some message/rfc822 parts could not be attached on forward (#7323)

 - Make install-jsdeps.sh script working without the 'file' program installed (#7325)

 - Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)

 - Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)

 - **Security**: Fix XSS issue in handling of CDATA in HTML messages

 - **Security**: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings

 - **Security**: Fix local file inclusion (and code execution) via crafted 'plugins' option

 - **Security**: Fix CSRF bypass that could be used to log out an authenticated user (#7302)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected roundcubemail package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2020-57f2df7424

Plugin Details

Severity: High

ID: 136436

File Name: fedora_2020-57f2df7424.nasl

Version: 1.1

Type: local

Agent: unix

Published: 5/11/2020

Updated: 5/11/2020

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Vulnerability Information

CPE: cpe:/o:fedoraproject:fedora:30, p-cpe:/a:fedoraproject:fedora:roundcubemail

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 5/9/2020

Vulnerability Publication Date: 5/9/2020

Reference Information