Bug 23826

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing two committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => guillomovitch, marja11, mrambo

Updated package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated roundcubemail package fixes security vulnerability and bugs:

This is a service release to update the stable version 1.3 of Roundcube Webmail. It contains fixes to several bugs backported from the master branch including a security fix for a reported XSS vulnerability (in handling invalid style tag content) plus updates to ensure compatibility with PHP 7.3 and recent versions of Courier-IMAP, Dovecot and MySQL 8 (no CVE).


References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/56EUDX57TIX42ULN63ZD6HCOX5PLNOZJ/
========================

Updated packages in core/updates_testing:
========================
roundcubemail-1.3.8-1.mga6.noarch.rpm

from roundcubemail-1.3.8-1.mga6.src.rpm


Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=9640#c5

Keywords: (none) => has_procedure
Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Ref to bug 9640 is obsolete as roundcubemail/installer does not exist anymore.
Bug 22941 is a better guide.
But step 5 js dependencies does not exist anymore either, so I just skipped that step.
Step 7 (roundcube page) brrings me into a log screen, but there I'm stuck since I don't have any IMAP account (sticking to pop3)
But AFAICS, it looks OK.
Leaving the OK for someone with a real IMAP account.

CC: (none) => herman.viaene

Installed and tested without issue.

System: Mageia 6, x86_64, Firefox, Chrome, Chromium, Plasma DE, LXQt, Intel CPU, nVidia GPU using nvidia240 proprietary driver.

For step-by-step installing instructions look here:
https://bugs.mageia.org/show_bug.cgi?id=22941#c10

$ uname -a
Linux marte 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep roundcube
roundcubemail-1.3.6-1.2.mga6

Whiteboard: (none) => MGA6-64-OK
CC: (none) => mageia

(In reply to PC LX from comment #4)
> $ rpm -qa | grep roundcube
> roundcubemail-1.3.6-1.2.mga6
Thank you (& Herman) for your test of this difficult package (and the installation pointer);
but is the version right? Comment 2 says "roundcubemail-1.3.8-1.mga6".

@Herman: what version did you test?

Advisory done from c2.

CC: (none) => lewyssmith
Keywords: (none) => advisory

(In reply to Lewis Smith from comment #5)
> (In reply to PC LX from comment #4)
> > $ rpm -qa | grep roundcube
> > roundcubemail-1.3.6-1.2.mga6
> but is the version right? Comment 2 says "roundcubemail-1.3.8-1.mga6".

Sorry, my mistake! I copied the version from before the update.

This is the version I tested, the one after the update.

$ rpm -qa | grep roundcubemail                                                                                                                                                   
roundcubemail-1.3.8-1.mga6

Thanks a bunch, PC_LX. Can validate this now (which you could have done).

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0463.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

This is CVE-2018-19206, according to this Debian advisory from November 24:
https://www.debian.org/security/2018/dsa-4344

Summary: roundcubemail new XSS security issue fixed upstream in 1.3.8 => roundcubemail new XSS security issue fixed upstream in 1.3.8 (CVE-2018-19206)

CVE-2018-19205 was also fixed in 1.3.7 in this update:
https://bugzilla.suse.com/show_bug.cgi?id=1115719
https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html