openSUSE Security Update: Security update for roundcubemail ______________________________________________________________________________ Announcement ID: openSUSE-SU-2015:0116-1 Rating: moderate References: #913095 Cross-References: CVE-2014-9587 Affected Products: openSUSE 13.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: roundcubemail was updated to 1.0.4 fixing bugs and security issues. Changes: * Disable TinyMCE contextmenu plugin as there are more cons than pros in using it (#1490118) * Fix bug where show_real_foldernames setting wasn't honored on compose page (#1490153) * Fix issue where Archive folder wasn't protected in Folder Manager (#1490154) * Fix compatibility with PHP 5.2. in rcube_imap_generic (#1490115) * Fix setting flags on servers with no PERMANENTFLAGS response (#1490087) * Fix regression in SHAA password generation in ldap driver of password plugin (#1490094) * Fix displaying of HTML messages with absolutely positioned elements in Larry skin (#1490103) * Fix font style display issue in HTML messages with styled <span> elements (#1490101) * Fix download of attachments that are part of TNEF message (#1490091) * Fix handling of uuencoded messages if messages_cache is enabled (#1490108) * Fix handling of base64-encoded attachments with extra spaces (#1490111) * Fix handling of UNKNOWN-CTE response, try do decode content client-side (#1490046) * Fix bug where creating subfolders in shared folders wasn't possible without ACL extension (#1490113) * Fix reply scrolling issue with text mode and start message below the quote (#1490114) * Fix possible issues in skin/skin_path config handling (#1490125) * Fix lack of delimiter for recipient addresses in smtp_log (#1490150) * Fix generation of Blowfish-based password hashes (#1490184) * Fix bugs where CSRF attacks were still possible on some requests (CVE-2014-9587) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2015-58 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (noarch): roundcubemail-1.0.4-4.1 References: http://support.novell.com/security/cve/CVE-2014-9587.html https://bugzilla.suse.com/show_bug.cgi?id=913095