====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN330
_____________________________________________________________________

DATE                : 11/06/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Roundcube versions prior to 1.4.5,
                                         1.3.12.

=====================================================================
https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12
https://roundcube.net/news/2020/06/07/updates-1.4.6-and-1.3.13-released
_____________________________________________________________________

Security updates 1.4.5 and 1.3.12 released

02 June 2020


We just published service and security updates to the stable version 1.4
and the LTS version 1.3 of Roundcube Webmail. They contain four fixes
for recently reported security vulnerabilities as well a number of
general improvements from our issue tracker.


Security fixes

    Fix XSS issue in template object username **
    Fix cross-site scripting (XSS) via malicious XML attachment *
    Fix a couple of XSS issues in Installer **
    Better fix for CVE-2020-12641

The latter two vulnerabilities again are related to public access to the
Roundcube installer and are therefore classified minor.

See the full changelogs in the release notes on the Github download
pages for the updated versions 1.4.5 and 1.3.12.

We strongly recommend to update all productive installations of
Roundcube with this new versions.


* Credits to the security researcher Matei “Mal” Badanoiu
** Credits to the security researcher [email protected] 404Team

_____________________________________________________________________

Updates 1.4.6 and 1.3.13 released

07 June 2020


We just published two follow-up releases to the recently published
versions 1.4.5 and 1.3.12 of Roundcube Webmail.

They contain only a single fix for the installer’s test step which was
broken with the last release. The update is therefore only relevant for
new installations which use the installer to set up Roundcube.


Changelog

    Installer: Fix regression in SMTP test section (#7417)


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================