| Summary: | roundcubemail new security issues CVE-2020-1262[56] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Marc Krämer <mageia> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, luigiwalser, mageia, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | roundcubemail-1.3.10-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
Marc Krämer
2020-05-04 18:17:15 CEST
Updated roundcubemail packages fix security vulnerabilities: - Cross-Site Scripting (XSS) via malicious HTML content - CSRF attack can cause an authenticated user to be logged out - Remote code execution via crafted config options - Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option References: https://github.com/roundcube/roundcubemail/releases/tag/1.3.11 ======================== Updated packages in core/updates_testing: ======================== roundcubemail-1.3.11-1.mga7.noarch.rpm SRPM: roundcubemail-1.3.11-1.mga7.src.rpm Assignee:
mageia =>
qa-bugs MGA7-64 Plasma on Lenovo B50 No installation issues. Ref to bug 22941 Comment 10 and 23826 Comment 10 for testing. Success configuring roundcubemail for my gmail account, sent mail to my hotmail account (read on my desktop PC) and receiving answer from it. So roundcube does its thing. OK for me. CC:
(none) =>
herman.viaene Installed and tested without issue. Tested using dovecot imap server. Several accounts with large number of folders and emails. System: Mageia 7, x86_64, Firefox, Chromium, Chrome, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia240 proprietary driver. $ uname -a Linux marte 5.6.8-desktop-1.mga7 #1 SMP Thu Apr 30 06:12:53 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q roundcubemail roundcubemail-1.3.11-1.mga7 CC:
(none) =>
mageia Debian has issued an advisory for this on May 5: https://www.debian.org/security/2020/dsa-4674 Updated roundcubemail packages fix security vulnerabilities: - Cross-Site Scripting (XSS) via malicious HTML content (CVE-2020-12625) - CSRF attack can cause an authenticated user to be logged out (CEV-2020-12626) - Remote code execution via crafted config options - Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12625 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12626 https://github.com/roundcube/roundcubemail/releases/tag/1.3.11 https://www.debian.org/security/2020/dsa-4674 Summary:
Security issues in roundcube mail =>
roundcubemail new security issues CVE-2020-1262[56] Validating. Advisory in Comment 1. Keywords:
(none) =>
validated_update OK. It had been a looooonnnnng day on the tractor, and I was tired.
Thomas Backlund
2020-05-08 12:02:48 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0206.html Status:
NEW =>
RESOLVED This update also fixed CVE-2020-12640: https://bugzilla.suse.com/show_bug.cgi?id=1171149 https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html CC:
(none) =>
luigiwalser |