openSUSE Security Update: Security update for roundcubemail ______________________________________________________________________________ Announcement ID: openSUSE-SU-2015:1904-1 Rating: moderate References: #938840 #952006 Affected Products: openSUSE 13.2 openSUSE 13.1 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: roundcubemail was updated to version 1.0.7 to fix two security issues. These security issues were fixed: - XSS issue in drag-n-drop file uploads - Disallow unwanted access on files in the file system. The apache2 configuration file for roundcubemail allowed access to the roundcubemail/bin folder and possibly /logs, /config and /temp, if these were not symlinks (this was only the case when the configuration was manually changed) (bsc#952006) The package comes with a fixed configuration. If you modified the file "/etc/apache2/conf.d/roundcubemail.conf", please replace it with the configuration "roundcubemail.conf.rpmnew" and reapply your changes. After that, a restart of apache2 is requried. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2015-699=1 - openSUSE 13.1: zypper in -t patch openSUSE-2015-699=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (noarch): roundcubemail-1.0.7-14.1 - openSUSE 13.1 (noarch): roundcubemail-1.0.7-2.24.1 References: https://bugzilla.suse.com/938840 https://bugzilla.suse.com/952006