An update that solves two vulnerabilities and has two fixes is now available.
Description:
roundcubemail was updated to version 1.1.7 and fixes the following issues:
- Update to 1.1.7 * A maliciously crafted FROM value could cause extra parameters to be passed to the sendmail command (boo#1012493) * A maliciously crafted email could cause untrusted code to be executed (cross site scripting using $lt;area href=javascript:...>) (boo#982003, CVE-2016-5103) * Avoid HTML styles that could cause potential click jacking (boo#1001856)
- Update to 1.1.5
* Fixed security issue in DBMail driver of password plugin (CVE-2015-2181, boo#976988)
Patch Instructions:
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE Leap 42.2:
zypper in -t patch openSUSE-2016-1419=1
- openSUSE Leap 42.1:
zypper in -t patch openSUSE-2016-1419=1
To bring your system up-to-date, use "zypper patch".