=====================================================================

                              CERT-Renater

                    Note d'Information No. 2023/VULN410

_____________________________________________________________________

DATE                : 18/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Roundcube Webmail versions
                        prior to 1.6.4, 1.5.5, 1.4.15.

=====================================================================
https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15
https://roundcube.net/news/2023/10/16/security-update-1.6.4-released
_____________________________________________________________________

Security updates 1.5.5 and 1.4.15 released

Published: 16 October 2023

     Tags: releases updates security
We just published security updates to the LTS versions 1.4 and 1.5
of Roundcube Webmail. They all contain a fix for recently reported
security vulnerability.


Security fix

Fix cross-site scripting (XSS) vulnerability in handling of SVG
in HTML messages (#9168). Credits for this finding go to
separately by Matthieu Faou (ESET) and Denys Klymenko.

See the full changelogs in the release notes on the Github
download pages for the updated versions 1.5.5 and 1.4.15.

We strongly recommend to update all productive installations
of Roundcube 1.4.x and 1.5.x with this new versions.

Please note that we do not plan any more releases in 1.4 line.

_____________________________________________________________________

Security update 1.6.4 released

Published: 16 October 2023

     Tags: releases updates security
We just published a security update to the version 1.6 of Roundcube
Webmail. It provides a fix to a recently reported XSS vulnerability:

     Fix cross-site scripting (XSS) vulnerability in handling of SVG
in HTML messages (#9168) reported separately by Matthieu Faou (ESET)
and Denys Klymenko.

See the full changelog in the release notes in the release notes
on the Github download page.

We strongly recommend to update all productive installations of
Roundcube 1.6.x with this new version.



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================