| Summary: | roundcubemail new security issue CVE-2018-9846 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, mageia, marja11, mhrambo3501, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | roundcubemail-1.3.3-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-04-22 16:39:56 CEST
David Walser
2018-04-22 16:40:10 CEST
Whiteboard:
(none) =>
MGA6TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. Assignee:
bugsquad =>
pkg-bugs Updated package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated roundcubemail package fixes security vulnerability: This update fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. (CVE-2018-9846). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9846 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z5Z2OC2XYT33AXQAC6NBFEM5PJNFVZRR/ ======================== Updated packages in core/updates_testing: ======================== roundcubemail-1.3.6-1.mga6.noarch.rpm from roundcubemail-1.3.6-1.mga6.src.rpm Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=9640#c5 Keywords:
(none) =>
has_procedure Adds some new dependencies. Is that expected? # urpmi roundcubemail To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release2") perl-Authen-SASL 2.160.0 7.mga6 noarch perl-Convert-ASN1 0.270.0 5.mga6 noarch perl-Digest-HMAC 1.30.0 8.mga6 noarch perl-Digest-SHA1 2.130.0 19.mga6 x86_64 perl-ldap 0.650.0 3.mga6 noarch (medium "Core Updates Testing") roundcubemail 1.3.6 1.mga6 noarch Whiteboard:
(none) =>
feedback Also bad signature.. The following package has bad signature: /var/cache/urpmi/rpms/roundcubemail-1.3.6-1.mga6.noarch.rpm: Missing signature (OK ((none))) perl dependencies are automatically generated, so they are what they are, but we can't have bad signatures, so the package will need to rebuilt. Rebuilt package to correct signature problem. New file list. Updated packages in core/updates_testing: ======================== roundcubemail-1.3.6-1.1.mga6.noarch.rpm from roundcubemail-1.3.6-1.1.mga6.src.rpm Whiteboard:
feedback =>
(none) MGA6-32 on IBM Thinkpad R50e MATE Installation draws in apache, but not mariadb which is a prerequisite as well. Please do not refer anymore to bug 9640 anymore as the info on testing is obsolete (the installer is not there anymore), the wiki is better although not complete. I will give more feedback once I get thru all the loops. CC:
(none) =>
herman.viaene I needed to change the file /etc/my.cnf.d/cracklib_password_check.cnf to comment out the line on the cracklib plugin. That gets rid of the policy error when trying to enter the roundcube user. I'm still stuck at the database connection error, but my guess is that, with our current setup, we do not populate the roundcubemail database with its necessary tables. I cannot continue my investigation right now. Googling I find references to a /usr/share/roundcubemail/SQL folder, but that one is not in our rpm?????? Installed and (minimally) tested. Installing required various steps. 1) Install the package roundcubemail and its dependencies (and recommends). 2) Start Apache (the httpd server I used) and MariaDB (the database server I used). 2) Create a database in MariaDB. 3) Create a database account (with all access rights; probably not all access rights are needed or desirable but this was only for testing). 4) Initialize the database. Run: mysql -u username -p database_name < /usr/share/doc/roundcubemail/SQL/mysql.initial.sql 5) Install JS dependencies. Run as root: /usr/share/roundcubemail/bin/install-jsdeps.sh 6) Edit, as root, the file /etc/roundcubemail/config.inc.php, and set the DSN, IMAP and SMTP settings. 7) Load the http://localhost/roundcubemail/ page in a browser. 8) Login using the username/password for a IMAP account in the IMAp server configured in step 6. While roundcubemail worked, I noticed that only some folders showed up in the list. The account I used has thousands. From the folders shown, I suspect it is only showing folders with recent emails. I don't know if this is how its supposed to be or some limitation of bug. I don't usually use any webmail stuff and have only used roundcubemail once or twice for a quick access to an account so I have no idea if there are any regressions. Will let someone else decide on giving the approved stamp to this one. CC:
(none) =>
mageia Forgot the system info. System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 22:35:45 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q roundcubemail roundcubemail-1.3.6-1.1.mga6 Its been a week since the last comment so I'm making it as ok for x86_64. Whiteboard:
(none) =>
MGA6-64-OK Advisoried. Validating. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0288.html Status:
NEW =>
RESOLVED |