Bug 17085

Summary: roundcubemail new security issues fixed upstream in 1.0.7 (CVE-2015-8105)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, sysadmin-bugs, thomas, tmb
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/663069/
Whiteboard: MGA5-32-OK mga5-64-ok advisory
Source RPM: roundcubemail-1.0.6-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-11-04 19:29:04 CET 
OpenSuSE has issued an advisory today (November 4):
http://lists.opensuse.org/opensuse-updates/2015-11/msg00030.html

The XSS issue is in the software itself.  The other issue is specific to OpenSuSE's package; I don't know if it affects ours.

Reproducible: 

Steps to Reproduce:
Comment 1 Thomas Spuhler 2015-11-04 22:32:33 CET 
This bug has been fixed by upgrading to version 1.0.7
The following packages are now in upgrades_testing:

roundcubemail-1.0.7-1.mga5.src.rpm
roundcubemail-1.0.7-1.mga5.noarch.rpm

Status: NEW => ASSIGNED

Comment 2 Thomas Spuhler 2015-11-04 22:34:05 CET 
assigning to qa

CC: (none) => thomas
Assignee: thomas => qa-bugs

Comment 3 Herman Viaene 2015-11-06 16:07:25 CET 
MGA5-32 on AcerD620
No installation issues.
Followed instructions on bug 9640 Comment 5, but getting nowhere.
Created same database , user and password, checked config.inc.php file.
Difference is that there is no more main.inc.php, I changed the installer allowed in the defaults.inc.php
When I go to at http://localhost/roundcubemail/installer , I get error 404
Putting the line for the installer in the config.inc.php does not help.

CC: (none) => herman.viaene

Comment 4 claire robinson 2015-11-06 16:22:22 CET 
The installer was removed so this package is pretty useless on it's own as it stands.

Please just verify that it updates cleanly.
Comment 5 Herman Viaene 2015-11-06 17:02:22 CET 
Above test was on a blank PC as far as roundcube is concerned.
Now I first deleted 1.0.7-1 , installed the previous 1.0.6-1.1 without problems and then installed 1.0.7-1 over it, no issues. So OK then.

Whiteboard: (none) => MGA5-32-OK

Comment 6 claire robinson 2015-11-07 17:48:57 CET 
Validating.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK mga5-64-ok
CC: (none) => sysadmin-bugs

Comment 7 claire robinson 2015-11-07 18:04:40 CET 
Missing advisory.
Comment 8 David Walser 2015-11-07 18:53:05 CET 
Advisory:
----------------------------------------

The roundcubemail package has been updated to version 1.0.7, which fixes a
XSS issue in drag-n-drop file uploads and other bugs.  See the upstream
release announcement for more details.

References:
https://github.com/roundcube/roundcubemail/releases/tag/1.0.7
http://lists.opensuse.org/opensuse-updates/2015-11/msg00030.html
Comment 9 Thomas Backlund 2015-11-07 20:48:20 CET 
advisory added to svn

CC: (none) => tmb
Whiteboard: MGA5-32-OK mga5-64-ok => MGA5-32-OK mga5-64-ok advisory

Comment 10 Mageia Robot 2015-11-07 21:12:21 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0438.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 11 David Walser 2016-03-09 20:01:34 CET 
The XSS issue is apparently CVE-2015-8105 according to the Gentoo advisory:
http://lwn.net/Vulnerabilities/679406/
https://security.gentoo.org/glsa/201603-03

Summary: roundcubemail new security issues fixed upstream in 1.0.7 => roundcubemail new security issues fixed upstream in 1.0.7 (CVE-2015-8105)