Bug 22005

Summary: roundcubemail new security issue CVE-2017-16651
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, marja11, mhrambo3501, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://www.debian.org/security/2017/dsa-4030
Whiteboard: MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-64-OK MGA6-32-OK
Source RPM: roundcubemail-1.2.5-1.mga6.src.rpm CVE: CVE-2017-16651
Status comment:

Description Zombie Ryushu 2017-11-10 08:19:57 CET 
A file disclosure vulnerability was discovered in roundcube, a skinnable AJAX based webmail solution for IMAP servers. An authenticated attacker can take advantage of this flaw to read roundcube's configuration files.
Zombie Ryushu 2017-11-10 08:22:01 CET

URL: (none) => https://www.debian.org/security/2017/dsa-4030
CVE: (none) => CVE-2017-16651

Comment 1 Marja Van Waes 2017-11-10 12:07:31 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

See also
http://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10

Whiteboard: (none) => MGA6TOO, MGA5TOO
CC: (none) => marja11, mrambo
Version: 6 => Cauldron
Assignee: bugsquad => pkg-bugs
Source RPM: roundcube => roundcubemail

Comment 2 David Walser 2017-11-10 14:37:33 CET 
Debian has issued an advisory for this on November 9:
https://www.debian.org/security/2017/dsa-4030

Summary: roundcube security update CVE-2017-16651 => roundcubemail new security issue CVE-2017-16651
Source RPM: roundcubemail => roundcubemail-1.2.5-1.mga6.src.rpm

Comment 3 Mike Rambo 2017-11-10 17:02:35 CET 
Cauldron updated to version 1.3.3.

Patched package uploaded for Mageia 5 and 6.

Advisory:
========================

Patched roundcubemail package fixes security vulnerability:

It was discovered that roundcubemail contained a zero-day file disclosure vulnerability caused by insuficient input validation which was currently being exploited by hackers to read roundcube's configuration files and steal its database credentials (CVE-2017-16651).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16651
https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10
https://www.debian.org/security/2017/dsa-4030
========================

Updated packages in core/updates_testing:
========================
roundcubemail-1.0.11-1.1.mga5

from roundcubemail-1.0.11-1.1.mga5.src.rpm

roundcubemail-1.2.5-1.1.mga6

from roundcubemail-1.2.5-1.1.mga6.src.rpm

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=9640#c5

Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

Mike Rambo 2017-11-10 17:14:54 CET

Keywords: (none) => has_procedure

Comment 4 Dave Hodgins 2017-11-11 06:07:31 CET 
In order to get roundcube mail working, the pre-requisites are having mysql
(mariadb), https (apache-mod_ssl), and an imap service such as dovecot
working with a real linux user with the proper directory structure for
the imap mail in /home.

Got roundcubemail working, and confirmed it's working after the update.
Not trying to recreate the actual exploit, as though it's described in
general, I don't see the details of how to use it.

Will update the testing procedure on the wiki later.

Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-64-OK MGA6-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2017-11-16 08:40:18 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0409.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED