| Summary: | roundcubemail new security issues fixed in 0.9.3 (CVE-2013-5645) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, mageia, oe, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/565276/ | ||
| Whiteboard: | has_procedure mga2too MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK | ||
| Source RPM: | roundcubemail | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-08-23 18:54:51 CEST
Oden fixed this in Cauldron this morning in roundcubemail-0.9.3-1.mga4. A CVE has been assigned for this (CVE-2013-5645): http://openwall.com/lists/oss-security/2013/08/28/4 Summary:
roundcubemail new security issues fixed in 0.9.3 =>
roundcubemail new security issues fixed in 0.9.3 (CVE-2013-5645) roundcubemail-0.7.4-1.2.mga2 and roundcubemail-0.9.3-1.mga3 has been submitted. CC:
(none) =>
oe (In reply to David Walser from comment #5) > Has anything been done abut Bug 9915 or Bug 9916? Looking at the SVN commits, I see that nothing has been done on those. Hopefully we can get those addressed at some point. Advisory for this update to come. Advisory: ======================== Updated roundcubemail package fixes security vulnerability: XSS vulnerabilities when saving HTML signatures and when editing a message "as new" or draft in roundcubemail before 0.9.3 (CVE-2013-5645). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5645 http://trac.roundcube.net/ticket/1489251 http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3 ======================== Updated packages in core/updates_testing: ======================== roundcubemail-0.7.4-1.2.mga2 roundcubemail-0.9.3-1.mga3 from SRPMS: roundcubemail-0.7.4-1.2.mga2.src.rpm roundcubemail-0.9.3-1.mga3.src.rpm CC:
(none) =>
mageia Fedora has issued an advisory for this on August 23: https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114854.html URL:
(none) =>
http://lwn.net/Vulnerabilities/565276/
Dave Hodgins
2013-08-30 01:50:52 CEST
CC:
(none) =>
davidwhodgins Advisory 11069.adv uploaded to svn. I'll test this shortly. I can't recreate the poc in Mageia 2. Any point in pushing the update for it? In Mageia 3, running the installer fails, when it's trying to generate the config files with ... main.inc.php: NOT OK(Unable to read file. Did you create the config files?) db.inc.php: NOT OK(Unable to read file. Did you create the config files?) To fix the problem, I had to run ... ln -s /etc/roundcubemail/ /usr/share/roundcubemail/config In Mageia 3, the poc works. To create it, Select the Settings/Identities, and select the user, then paste test<b onmouseover="alert(document.cookie)">asd</b> into the signature field. Once it's saved, hovering the mouse over the asd part shows the problem. I'll test the update on Mageia 3 shortly. Testing complete on Mageia 3 x86_64 I've also added a comment to bug 9915 about the symlink problem. Whiteboard:
has_procedure mga2too =>
has_procedure mga2too MGA3-64-OK MGA3-32-OK Testing complete on Mageia 2 i586 and x86_64. Although no change noticed, as the poc doesn't work on Mageia 2, no regressions found. Someone from the sysadmin team please push 11069.adv to updates. Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2013-0270.html Status:
NEW =>
RESOLVED |