Ubuntu Security Notice 6848-1 - Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly handled certain SVG images. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. Rene Rehme discovered that Roundcube incorrectly handled certain headers. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10.
6806c53c3241b7542421db1f1d4222c2a53699435aca3668ff2429b7404c20a5
==========================================================================
Ubuntu Security Notice USN-6848-1
June 25, 2024
roundcube vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Roundcube could be made to crash or run programs if it received specially
crafted input.
Software Description:
- roundcube: skinnable AJAX based webmail solution for IMAP servers - metapack
Details:
Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly
handled certain SVG images. A remote attacker could possibly use this
issue to load arbitrary JavaScript code. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10.
(CVE-2023-5631)
Rene Rehme discovered that Roundcube incorrectly handled certain headers.
A remote attacker could possibly use this issue to load arbitrary
JavaScript code. This issue only affected Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-47272)
Valentin T. and Lutz Wolf discovered that Roundcube incorrectly handled
certain SVG images. A remote attacker could possibly use this issue to
load arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2024-37383)
Huy Nguyễn Phạm Nhật discovered that Roundcube incorrectly handled
certain fields in user preferences. A remote attacker could possibly use
this issue to load arbitrary JavaScript code. (CVE-2024-37384)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10
roundcube 1.6.2+dfsg-1ubuntu0.2
roundcube-core 1.6.2+dfsg-1ubuntu0.2
Ubuntu 22.04 LTS
roundcube 1.5.0+dfsg.1-2ubuntu0.1~esm3
Available with Ubuntu Pro
roundcube-core 1.5.0+dfsg.1-2ubuntu0.1~esm3
Available with Ubuntu Pro
Ubuntu 20.04 LTS
roundcube 1.4.3+dfsg.1-1ubuntu0.1~esm4
Available with Ubuntu Pro
roundcube-core 1.4.3+dfsg.1-1ubuntu0.1~esm4
Available with Ubuntu Pro
Ubuntu 18.04 LTS
roundcube 1.3.6+dfsg.1-1ubuntu0.1~esm4
Available with Ubuntu Pro
roundcube-core 1.3.6+dfsg.1-1ubuntu0.1~esm4
Available with Ubuntu Pro
Ubuntu 16.04 LTS
roundcube 1.2~beta+dfsg.1-0ubuntu1+esm4
Available with Ubuntu Pro
roundcube-core 1.2~beta+dfsg.1-0ubuntu1+esm4
Available with Ubuntu Pro
After a standard system update you need to restart Roundcube to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6848-1
CVE-2023-47272, CVE-2023-5631, CVE-2024-37383, CVE-2024-37384,
https://launchpad.net/bugs/2043396
Package Information:
https://launchpad.net/ubuntu/+source/roundcube/1.6.2+dfsg-1ubuntu0.2