Bug 26905

Updated roundcubemail packages fix security vulnerabilities:

This update fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace.

References:
https://github.com/roundcube/roundcubemail/releases/tag/1.3.14
========================

Updated packages in core/updates_testing:
========================
roundcubemail-1.3.14-1.mga7.noarch.rpm

SRPM:
roundcubemail-1.3.14-1.mga7.src.rpm

Assignee: mageia => qa-bugs

MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 22941 for installation.
Checked phpmyadmin, mysqld, httpd, dovecot and php-fpm are installed and running. Made changes in roundcube conf for gmail IMAP settings
Run at CLI:
# mysql -u roundcube -p roundcubemail < /usr/share/doc/roundcubemail/SQL/mysql.initial.sql
Enter password: 
Checked with phpmyadmin that tables have been created, then
# /usr/share/roundcubemail/bin/install-jsdeps.sh
-bash: /usr/share/roundcubemail/bin/install-jsdeps.sh: No such file or directory
This step is still in the roundcube docs, but is still needed?
Anyway, pointing the browser at http://localhost/roundcubemail/ just draws a blank page,  no error or warning of any kind.

CC: (none) => herman.viaene

Installed and tested without issues.


Tested on setup with apache, PHP-FPM, mariadb and dovecot. 
Tested with multiple email accounts with GiB of emails.


System: Mageia 7, x86_64, Intel CPU.



$ uname -a
Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep roundcubemail
roundcubemail-1.3.14-1.mga7
$ 
$ 
$ rpm -qa | egrep '(mariadb|apache|php-fpm|dovecot)' | sort
apache-2.4.43-1.mga7
apache-commons-io-2.6-3.mga7
apache-commons-logging-1.2-9.mga7
apache-mod_http2-2.4.43-1.mga7
apache-mod_php-7.3.19-2.mga7
apache-mod_proxy-2.4.43-1.mga7
apache-mod_ssl-2.4.43-1.mga7
dovecot-2.3.10.1-1.mga7
dovecot-pigeonhole-2.3.10.1-1.mga7
lib64mariadb3-10.3.23-1.mga7
mariadb-10.3.23-1.mga7
mariadb-client-10.3.23-1.mga7
mariadb-common-10.3.23-1.mga7
mariadb-common-core-10.3.23-1.mga7
mariadb-core-10.3.23-1.mga7
mariadb-extra-10.3.23-1.mga7
php-fpm-7.3.19-2.mga7
$ systemctl status httpd.service php-fpm.service dovecot.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-07-06 15:49:22 WEST; 3h 38min ago
 Main PID: 10921 (httpd)
   Status: "Total requests: 96; Idle/Busy workers 92/8;Requests/sec: 0.00733; Bytes served/sec: 126 B/sec"
    Tasks: 66 (limit: 4697)
   Memory: 34.8M
   CGroup: /system.slice/httpd.service
           ├─10921 /usr/sbin/httpd -DFOREGROUND
           ├─10922 /usr/sbin/httpd -DFOREGROUND
           └─10923 /usr/sbin/httpd -DFOREGROUND

jul 06 15:49:22 marte systemd[1]: Starting The Apache HTTP Server...
jul 06 15:49:22 marte systemd[1]: Started The Apache HTTP Server.

● php-fpm.service - The PHP FastCGI Process Manager
   Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-07-06 19:17:33 WEST; 10min ago
 Main PID: 14791 (php-fpm)
   Status: "Processes active: 0, idle: 2, Requests: 32, slow: 0, Traffic: 0req/sec"
    Tasks: 3 (limit: 4697)
   Memory: 47.1M
   CGroup: /system.slice/php-fpm.service
           ├─14791 php-fpm: master process (/etc/php-fpm.conf)
           ├─14877 php-fpm: pool www
           └─14898 php-fpm: pool www

jul 06 19:17:33 marte systemd[1]: Starting The PHP FastCGI Process Manager...
jul 06 19:17:33 marte systemd[1]: Started The PHP FastCGI Process Manager.

● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-07-06 19:17:45 WEST; 10min ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
 Main PID: 14878 (dovecot)
    Tasks: 9 (limit: 4697)
   Memory: 18.5M
   CGroup: /system.slice/dovecot.service
           ├─14878 /usr/sbin/dovecot -F
           ├─14881 dovecot/anvil
           ├─14882 dovecot/log
           ├─14884 dovecot/config
           ├─14886 dovecot/stats
           ├─15357 dovecot/imap-login
           ├─15358 dovecot/imap
           ├─15375 dovecot/imap-login
           └─15378 dovecot/imap

jul 06 19:18:26 marte dovecot[14882]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=15476, secured, session=<Q6oZ/MmpVsj9AAAAAAEAAQAAAAAAAAAB>
jul 06 19:18:26 marte dovecot[14882]: imap(pclx)<15476><Q6oZ/MmpVsj9AAAAAAEAAQAAAAAAAAAB>: Logged out in=393 out=7750 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=434 body_count=1 body_bytes=5660
jul 06 19:18:30 marte dovecot[14882]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=15478, secured, session=<f3JU/MmpWMj9AAAAAAEAAQAAAAAAAAAB>
jul 06 19:18:30 marte dovecot[14882]: imap(pclx)<15478><f3JU/MmpWMj9AAAAAAEAAQAAAAAAAAAB>: Logged out in=306 out=1690 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=337 body_count=0 body_bytes=0
jul 06 19:18:34 marte dovecot[14882]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=15481, secured, session=<5D6N/MmpWsj9AAAAAAEAAQAAAAAAAAAB>

CC: (none) => mageia

Debian has issued an advisory for this today (July 8):
https://www.debian.org/security/2020/dsa-4720

Make sure to include the CVE in the advisory.

Summary: Roundcubemail: XSS vulnerability in svg images => Roundcubemail: XSS vulnerability in svg images (CVE-2020-15562)

This update has been working without issues for almost a week so I'm OKing this update. Please undo if you think its appropriate.

Whiteboard: (none) => MGA7-64-OK

Validating. Advisory information in Comment 1 and Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0301.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED