Three flaws were reported in roundcubemail: - XSS vulnerability in _mbox argument Upstream Issue: http://trac.roundcube.net/ticket/1490417 Commit: http://trac.roundcube.net/changeset/b782815dac/github - security improvement in contact photo handling Upstream issue: http://trac.roundcube.net/ticket/1490379 Commits: 1.1: http://trac.roundcube.net/changeset/681ba6fc3/github 1.0: http://trac.roundcube.net/changeset/6ccd4c54b/github - potential info disclosure from temp directory Upstream issue: http://trac.roundcube.net/ticket/1490378 Commits: http://trac.roundcube.net/changeset/012555c1c/github http://trac.roundcube.net/changeset/16640c7fb0c8/github CVE request (with additional details): http://seclists.org/oss-sec/2015/q3/39 External References: https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/
Created roundcubemail tracking bugs for this issue: Affects: fedora-all [bug 1241057] Affects: epel-all [bug 1241058]
roundcubemail-1.1.2-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
roundcubemail-1.1.2-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
roundcubemail-1.1.2-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
roundcubemail-1.0.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.