Bug 18257

I got an e-mail about new maintenance releases fixing bugs. It hasn't caught my attention because the word security was missing.
I will now do the upgrade. Thanks David

Status: NEW => ASSIGNED

This bug has been resolved by upgrading to vers. 1.0.9
The following packages are now in updates_testing:
roundcubemail-1.0.9-1.mga5.src.rpm
roundcubemail-1.0.9-1.mga5.noarch.rpm
Assigning to to qa

Assignee: thomas => qa-bugs

Applies to cauldron as well. There's a newer 1.2 RC out but I didn't check what it fixes.

CC: (none) => oe

I am working on upgrading to the RC1. BTW, 1.2 should be released soon.

CC: (none) => thomas

Advisory:
========================

Updated roundcubemail packages fix security vulnerabilities:

More security issues in the DBMail driver for the password plugin, related to
CVE-2015-2181.

XSS issue in SVG images handling (CVE-2015-8864).

Lack of protection for attachment download URLs against CSRF (CVE-2016-4069).

The roundcubemail package has been updated to version 1.0.9, fixing these
issues and several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4069
http://openwall.com/lists/oss-security/2016/04/23/4
https://github.com/roundcube/roundcubemail/releases/tag/1.0.9
http://lists.roundcube.net/pipermail/users/2016-April/011299.html

Trying to test this on x86_64 but may have to yield.

Before update I could not get to the installer stage in the browser.

Background:
$ mysql -u root -p
Enter password: 
MariaDB [(none)]> CREATE USER roundcube IDENTIFIED BY 'mailman';
MariaDB [(none)]> CREATE DATABASE roundcubemail;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY 'mailman';
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> EXIT;
Bye

Made the necessary changes in /etc/roundcubemail/config.inc.php

@firefox
http:/localhost/roundcubemail/installer/
Error 404

# mysql -u root -p

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| boojum             |
| cacti              |
| information_schema |
| moodle             |
| mysql              |
| performance_schema |
| roundcubemail      |
| test               |
+--------------------+

Where have I gone wrong?

CC: (none) => tarazed25

Without the installer stage it goes straight to the roundcube interface page and presents:

DATABASE ERROR: CONNECTION FAILED

Unable to connect to the database!

None of the menu buttons respond, not even logout.

In a somewhat contentious decision, the installer for roundcubemail was removed, making it a bit useless as a standalone package.

See: https://bugs.mageia.org/show_bug.cgi?id=16249

Please just ensure it updates cleanly.

Advisory uploaded.

Whiteboard: (none) => has_procedure advisory

Thanks for the information Claire.
Installed the update OK.

# urpmi roundcubemail
A requested package cannot be installed:
roundcubemail-1.0.8-1.mga5.noarch (in order to keep roundcubemail-1.0.9-1.mga5.noarch)
Pointing the browser at localhost/roundcubemail presents the interface as before with the 404 error.

So I guess we give this the OK and validate it.

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0155.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED