Bug 17407

Summary: roundcubemail new security issue fixed upstream in 1.0.8 (CVE-2015-8770)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs, thomas
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/672317/
Whiteboard: MGA5-32-OK advisory
Source RPM: roundcubemail-1.0.7-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-12-28 12:53:22 CET 
Upstream has released version 1.0.8 on December 23, fixing a security issue:
http://lists.roundcube.net/pipermail/users/2015-December/011226.html

Updated package uploaded for Mageia 5 by Thomas.

Advisory:
----------------------------------------

The roundcubemail package has been updated to version 1.0.8, which fixes a
path traversal issue and other bugs.  See the upstream release announcement
for more details.

References:
https://github.com/roundcube/roundcubemail/releases/tag/1.0.8
http://lists.roundcube.net/pipermail/users/2015-December/011226.html
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
roundcubemail-1.0.8-1.mga5

from roundcubemail-1.0.8-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2015-12-28 12:53:59 CET

CC: (none) => thomas

Comment 1 Herman Viaene 2016-01-12 16:17:07 CET 
MGA5-32 Xfce on AcerD620
No installation issues.
As per bug17085 no further testing possible, so OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Dave Hodgins 2016-01-14 00:07:15 CET

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 2 Mageia Robot 2016-01-14 02:45:33 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0016.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 3 David Walser 2016-01-19 19:10:49 CET 
Apparently this received CVE-2015-8770.

Thomas, according to the Arch advisory, you need to update Cauldron to 1.2 beta 2 to fix this.

URL: (none) => http://lwn.net/Vulnerabilities/672317/
Summary: roundcubemail new security issue fixed upstream in 1.0.8 => roundcubemail new security issue fixed upstream in 1.0.8 (CVE-2015-8770)

Comment 4 Thomas Spuhler 2016-01-19 20:02:43 CET 
I will update it as soon as there is a new source code available
Comment 5 David Walser 2016-01-19 20:06:07 CET 
(In reply to Thomas Spuhler from comment #4)
> I will update it as soon as there is a new source code available

OK, yeah I see they haven't made a new release yet on that branch.

The commit that fixes it in 1.2 beta is here:
https://github.com/roundcube/roundcubemail/commit/10e5192a2b1bc90ec137f5e69d0aa072c1210d6d