Headline
Ubuntu Security Notice USN-6848-1
Ubuntu Security Notice 6848-1 - Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly handled certain SVG images. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. Rene Rehme discovered that Roundcube incorrectly handled certain headers. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10.
==========================================================================
Ubuntu Security Notice USN-6848-1
June 25, 2024
roundcube vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Roundcube could be made to crash or run programs if it received specially
crafted input.
Software Description:
- roundcube: skinnable AJAX based webmail solution for IMAP servers - metapack
Details:
Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly
handled certain SVG images. A remote attacker could possibly use this
issue to load arbitrary JavaScript code. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10.
(CVE-2023-5631)
Rene Rehme discovered that Roundcube incorrectly handled certain headers.
A remote attacker could possibly use this issue to load arbitrary
JavaScript code. This issue only affected Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-47272)
Valentin T. and Lutz Wolf discovered that Roundcube incorrectly handled
certain SVG images. A remote attacker could possibly use this issue to
load arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2024-37383)
Huy Nguyễn Phạm Nhật discovered that Roundcube incorrectly handled
certain fields in user preferences. A remote attacker could possibly use
this issue to load arbitrary JavaScript code. (CVE-2024-37384)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10
roundcube 1.6.2+dfsg-1ubuntu0.2
roundcube-core 1.6.2+dfsg-1ubuntu0.2
Ubuntu 22.04 LTS
roundcube 1.5.0+dfsg.1-2ubuntu0.1~esm3
Available with Ubuntu Pro
roundcube-core 1.5.0+dfsg.1-2ubuntu0.1~esm3
Available with Ubuntu Pro
Ubuntu 20.04 LTS
roundcube 1.4.3+dfsg.1-1ubuntu0.1~esm4
Available with Ubuntu Pro
roundcube-core 1.4.3+dfsg.1-1ubuntu0.1~esm4
Available with Ubuntu Pro
Ubuntu 18.04 LTS
roundcube 1.3.6+dfsg.1-1ubuntu0.1~esm4
Available with Ubuntu Pro
roundcube-core 1.3.6+dfsg.1-1ubuntu0.1~esm4
Available with Ubuntu Pro
Ubuntu 16.04 LTS
roundcube 1.2~beta+dfsg.1-0ubuntu1+esm4
Available with Ubuntu Pro
roundcube-core 1.2~beta+dfsg.1-0ubuntu1+esm4
Available with Ubuntu Pro
After a standard system update you need to restart Roundcube to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6848-1
CVE-2023-47272, CVE-2023-5631, CVE-2024-37383, CVE-2024-37384,
https://launchpad.net/bugs/2043396
Package Information:
https://launchpad.net/ubuntu/+source/roundcube/1.6.2+dfsg-1ubuntu0.2
Related news
Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials. Russian cybersecurity company Positive Technologies said it discovered last month that an email was sent to an unspecified governmental organization located in one of the Commonwealth of
CrowdStrike discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not correctly process and sanitize requests. This would allow an attacker to perform Cross-Side Scripting (XSS) attacks.
CrowdStrike discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not correctly process and sanitize requests. This would allow an attacker to perform Cross-Side Scripting (XSS) attacks.
Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done. Alternative video link (for Russia): https://vk.com/video-149273431_456239139 Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and […]
Debian Linux Security Advisory 5572-1 - Rene Rehme discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly set headers when handling attachments. This would allow an attacker to load arbitrary JavaScript code.
Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).
A campaign targeting European governmental organizations and a think tank shows consistency from the low-profile threat group, which has ties to Belarus and Russia.
The threat actor known as Winter Vivern has been observed exploiting a zero-day flaw in Roundcube webmail software on October 11, 2023, to harvest email messages from victims' accounts. "Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube," ESET security researcher Matthieu Faou said in a new report published today. Previously, it was using known
By Waqas ESET Research Uncovers New Targeted Campaign Impacting European Governments and Think Tanks. This is a post from HackRead.com Read the original post: APT Winter Vivern Exploits New Roundcube 0-Day to Target European Entities
Debian Linux Security Advisory 5531-1 - It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize HTML messages. This would allow an attacker to load arbitrary JavaScript code.
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.