openSUSE Security Update : roundcubemail (openSUSE-SU-2013:1420-1)

Medium Nessus Plugin ID 75132


The remote openSUSE host is missing a security update.


roundcubemail was updated to version 0.9.3 (bnc#837436) (CVE-2013-5645)

- Optimized UI behavior for touch devices

- Fix setting refresh_interval to 'Never' in Preferences

- Fix purge action in folder manager

- Fix base URL resolving on attribute values with no quotes

- Fix wrong handling of links with '|' character

- Fix colorspace issue on image conversion using ImageMagick?

- Fix XSS vulnerability when saving HTML signatures

- Fix XSS vulnerability when editing a message 'as new' or draft

- Fix rewrite rule in .htaccess

- Fix detecting Turkish language in ISO-8859-9 encoding

- Fix identity-selection using Return-Path headers

- Fix parsing of links with ... in URL

- Fix compose priority selector when opening in new window

- Fix bug where signature wasn't changed on identity selection when editing a draft

- Fix IMAP SETMETADATA parameters quoting

- Fix 'could not load message' error on valid empty message body

- Fix handling of message/rfc822 attachments on message forward and edit

- Fix parsing of square bracket characters in IMAP response strings

- Don't clear References and in-Reply-To when a message is 'edited as new'

- Fix messages list sorting with THREAD=REFS

- Remove deprecated (in PHP 5.5) PREG /e modifier usage

- Fix empty messages list when register_globals is enabled

- Fix so valid and set date.timezone is not required by installer checks

- Canonize boolean ini_get() results

- Fix so install do not fail when one of DB driver checks fails but other drivers exist

- Fix so exported vCard specifies encoding in v3-compatible format

- Update to version 0.9.2

- Fix image thumbnails display in print mode

- Fix height of message headers block

- Fix timeout issue on drag&drop uploads

- Fix default sorting of threaded list when THREAD=REFS isn't supported

- Fix list mode switch to 'List' after saving list settings in Larry skin

- Fix error when there's no writeable addressbook source

- Fix zipdownload plugin issue with filenames charset

- Fix so non-inline images aren't skipped on forward

- Fix 'null' instead of empty string on messages list in IE10

- Fix legacy options handling

- Fix so bounces addresses in Sender headers are skipped on Reply-All

- Fix bug where serialized strings were truncated in PDO::quote()

- Fix displaying messages with invalid self-closing HTML tags

- Fix PHP warning when responding to a message with many Return-Path headers

- Fix unintentional compose window resize

- Fix performance regression in text wrapping function

- Fix connection to posgtres db using unix socket

- Fix handling of comma when adding contact from contacts widget

- Fix bug where a message was opened in both preview pane and new window on double-click

- Fix fatal error when xdebug.max_nesting_level was exceeded in rcube_washtml

- Fix PHP warning in html_table::set_row_attribs() in PHP 5.4

- Fix invalid option selected in default_font selector when font is unset

- Fix displaying contact with ID divisible by 100 in sql addressbook

- Fix browser warnings on PDF plugin detection

- Fix fatal error when parsing UUencoded messages

- Update to version 0.9.1

- a lot of bugfixes and smaller improvements (

- Update to version 0.9.0

- Improved rendering of forwarded and attached messages

- Optionally display and compose email messages a new windows

- Unified UI for message view and composition

- Show sender photos from contacts in email view

- Render thumbnails for image attachments

- Download all attachments as zip archive (using the zipdownload plugin)

- Forward multiple emails as attachments

- CSV import for contacts


Update the affected roundcubemail package.

See Also

Plugin Details

Severity: Medium

ID: 75132

File Name: openSUSE-2013-687.nasl

Version: $Revision: 1.2 $

Type: local

Agent: unix

Published: 2014/06/13

Modified: 2016/05/09

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:roundcubemail, cpe:/o:novell:opensuse:12.2, cpe:/o:novell:opensuse:12.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2013/08/30

Reference Information

CVE: CVE-2012-6121, CVE-2013-5645

BID: 57849, 61976

OSVDB: 90175, 90177, 96575, 96576