Bug 25944

Summary: roundcubemail new security issue CVE-2019-15237
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, mageia, nicolas.salguero, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: roundcubemail-1.3.8-2.mga7.src.rpm CVE: CVE-2019-15237
Status comment:

Description David Walser 2019-12-23 23:35:46 CET 
Fedora has issued an advisory on September 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TFFMSO5WKEYSGMTZPZFF4ZADUJ57PRN5/

The issue is fixed upstream in 1.3.10.

Mageia 7 is also affected.
David Walser 2019-12-23 23:35:57 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-12-24 21:36:12 CET 
Another package with no registered maintainer nor consistent recent committer, so have to assign it globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2019-12-29 15:40:59 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks. (CVE-2019-15237)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15237
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TFFMSO5WKEYSGMTZPZFF4ZADUJ57PRN5/
========================

Updated package in core/updates_testing:
========================
roundcubemail-1.3.10-1.mga7

from SRPMS:
roundcubemail-1.3.10-1.mga7.src.rpm

CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 7
Status: NEW => ASSIGNED
CVE: (none) => CVE-2019-15237
Whiteboard: MGA7TOO => (none)

Comment 3 PC LX 2019-12-29 18:28:08 CET 
Installed and tested without issue.


Tested using dovecot imap server, with several accounts with large number of folders and emails.



System: Mageia 7, x86_64, Firefox, Chromium, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia240 proprietary driver.



$ uname -a
Linux marte 5.4.6-desktop-2.mga7 #1 SMP Mon Dec 23 12:05:27 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep roundcubemail
roundcubemail-1.3.10-1.mga7

Whiteboard: (none) => MGA7-64-OK
CC: (none) => mageia

Comment 4 Thomas Andrews 2019-12-29 19:28:05 CET 
Validated. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2019-12-31 16:38:40 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 5 Mageia Robot 2019-12-31 17:52:49 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0420.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2020-09-25 00:58:23 CEST 
This update also fixed CVE-2019-10740:
https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html