Bug 982003 (CVE-2016-5103)

Summary: VUL-0: CVE-2016-5103: roundcube: XSS vulnerability in mail content page
Product: [openSUSE] openSUSE Distribution Reporter: Alexander Bergmann <abergmann>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, aj, jsegitz, lars.vogdt, meissner, security-team, wolfgang
Version: Leap 42.1   
Target Milestone: ---   
Hardware: Other   
OS: Other   
See Also: http://bugzilla.opensuse.org/show_bug.cgi?id=1001856
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2016-05-27 12:23:49 UTC 
rh#1339654

A 1.2.0 release of roundcubemail fixed an XSS vulnerability in href attribute on area tag.

External references:

https://github.com/roundcube/roundcubemail/issues/5240

Upstream fix:

https://github.com/roundcube/roundcubemail/pull/5241

CVE assignment:

http://seclists.org/oss-sec/2016/q2/414

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1339654
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5103
http://seclists.org/oss-sec/2016/q2/414
Comment 2 Swamp Workflow Management 2016-05-27 22:00:15 UTC 
bugbot adjusting priority
Comment 3 Aeneas Jaißle 2016-11-29 12:49:55 UTC 
server:php:applications       -> fixed with update to 1.2.0 (May 24th)

openSUSE:Tumbleweed (Factory) -> fixed with update to 1.2.0 (May 24th)

openSUSE:Leap:42.1            -> fixed with update to 1.1.6 (Oct 5th)

openSUSE:13.2                 -> *pending update* with patches for 1.0.9
  MR#442694 (https://build.opensuse.org/request/show/442694)

openSUSE:13.1 (Evergreen)     -> *pending update* with patches for 1.0.9
  MR#442693 (https://build.opensuse.org/request/show/442693)
Comment 4 Johannes Segitz 2016-11-30 12:18:40 UTC 
thanks for the submits. No need to needinfo us, we see the submits in our incoming queue. Just assign the bug to us once your done here
Comment 5 Bernhard Wiedemann 2016-11-30 21:00:37 UTC 
This is an autogenerated message for OBS integration:
This bug (982003) was mentioned in
https://build.opensuse.org/request/show/442941 13.1 / roundcubemail
Comment 6 Swamp Workflow Management 2016-12-07 14:07:55 UTC 
openSUSE-SU-2016:3032-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1001856,1012493,982003
CVE References: CVE-2016-5103
Sources used:
openSUSE 13.2 (src):    roundcubemail-1.0.9-23.1
Comment 7 Swamp Workflow Management 2016-12-07 14:12:26 UTC 
openSUSE-SU-2016:3038-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001856,1012493,976988,982003
CVE References: CVE-2015-2181,CVE-2016-5103
Sources used:
openSUSE Leap 42.2 (src):    roundcubemail-1.1.7-15.1
openSUSE Leap 42.1 (src):    roundcubemail-1.1.7-15.1
Comment 8 Marcus Meissner 2016-12-09 08:01:16 UTC 
re;leased
Comment 9 Aeneas Jaißle 2016-12-23 11:35:49 UTC 
*** Bug 1016744 has been marked as a duplicate of this bug. ***
Comment 11 Swamp Workflow Management 2016-12-31 02:07:54 UTC 
openSUSE-SU-2016:3309-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1001856,1012493,982003
CVE References: CVE-2016-5103
Sources used:
openSUSE 13.1 (src):    roundcubemail-1.0.9-2.36.1