An XSS vulnerability has been reported, and fixed in roundcube.
see http://seclists.org/oss-sec/2016/q2/414
and https://github.com/roundcube/roundcubemail/issues/5240

I have applied this fix to Kolab 3.4 Updates:
https://obs.kolabsys.com/package/show/Kolab:3.4:Updates/roundcubemail

I also prepared an update for Kolab 16:
https://obs.kolabsys.com/request/show/1646
(I had to do the branch and submit request from the command line,
because today the SSL certificate for obs.kolabsys.com expired, which
breaks the login through the browser interface. UPDATE: SSL certificate has been updated).

I do have commit permissions for Kolab 3.4, but I don’t have commit
permissions for Kolab 16.

I have asked on IRC, but probably due to a holiday weekend in parts of Germany and Switzerland, I did not get an immediate reply. That is fair enough.

UPDATE: Jeroen has reviewed and accepted the submit request, so the security patch has been applied to Roundcube in Kolab16! Thank you!

I have asked the question now on the developers’ mailing list, with CC to Jeroen: https://lists.kolab.org/pipermail/devel/2016-May/015446.html

Now that the community and the enterprise version have been merged, we
still need a way to provide security updates for the community.

Please join the discussion on the mailing list. Or should we use https://kolab.org/hub/ instead?

Security Update for XSS vulnerability CVE-2016-5103 in Roundcube for Kolab 3.4 and for Kolab 16
Tagged on: