MGASA-2020-0206 - Updated roundcubemail packages fix security vulnerabilities

Publication date: 08 May 2020
URL: https://advisories.mageia.org/MGASA-2020-0206.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-12625,
     CVE-2020-12626

Updated roundcubemail packages fix security vulnerabilities:

- Cross-Site Scripting (XSS) via malicious HTML content
  (CVE-2020-12625)
- CSRF attack can cause an authenticated user to be logged out
  (CEV-2020-12626)
- Remote code execution via crafted config options
- Path traversal vulnerability allowing local file inclusion via
  crafted 'plugins' option

References:
- https://bugs.mageia.org/show_bug.cgi?id=26586
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.11
- https://www.debian.org/security/2020/dsa-4674
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12625
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12626

SRPMS:
- 7/core/roundcubemail-1.3.11-1.mga7