openSUSE Security Update: Security update for roundcubemail ______________________________________________________________________________ Announcement ID: openSUSE-SU-2015:0286-1 Rating: moderate References: #863569 #915789 Cross-References: CVE-2015-1433 Affected Products: openSUSE 13.2 openSUSE 13.1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: roundcubemail was updated to version 1.0.5 to fix one security issue. This security issue was fixed: - CVE-2015-1433: program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 did not properly quote strings, which allowed remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email (bnc#915789). Various non-security bugs were resolved in this update. Please see the changes file for details. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2015-148=1 - openSUSE 13.1: zypper in -t patch openSUSE-2015-148=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (noarch): roundcubemail-1.0.5-8.1 - openSUSE 13.1 (noarch): roundcubemail-1.0.5-2.18.1 References: http://support.novell.com/security/cve/CVE-2015-1433.html https://bugzilla.suse.com/863569 https://bugzilla.suse.com/915789