Bug 29695

version 1.5.0 final pushed in mga8


src:
    - roundcubemail-1.5.0-1.mga8

CC: (none) => mageia, mageia
Assignee: mageia => qa-bugs

Failed to install the update.

$ urpmi roundcubemail --test
A requested package cannot be installed:
roundcubemail-1.5.0-1.mga8.noarch (due to unsatisfied pear(TinyCPConnector.php))
Continue installation anyway? (Y/n) n
$ urpmf --files /TinyCPConnector.php
$ # Nothing found
$ uname -a
Linux marte 5.10.78-desktop-1.mga8 #1 SMP Sat Nov 6 13:40:04 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q roundcubemail
roundcubemail-1.5-0.beta.2.mga8
$ cat /etc/release 
Mageia release 8 (Official) for x86_64

CC: (none) => mageia

we have the same deps issue in cauldron.

Fedora has issued an advisory today (January 12):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TPIGI7LQQIBILELWRDTJL5ZU3EZBYSYM/

The issue is fixed upstream in 1.5.2 (December 30):
https://github.com/roundcube/roundcubemail/releases/tag/1.5.2

Summary: roundcubemail new security issues CVE-2021-4402[56] => roundcubemail new security issues CVE-2021-4402[56] and XSS issue fixed in 1.5.2

Updated roundcube mail packages fix security vulnerabilities:

This update fixes two security issues found in roundcube mail.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44025
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44026
========================

Updated packages in core/updates_testing:
========================
roundcubemail-1.5.2-1.mga8.noarch

SRPM:
roundcubemail-1.5.2-1.mga8.src.rpm

Installed and tested without issues.

Have been using this update for over a week without issues so Im going to give it an OK. Please unOK if needed.

Tested using a system with apache, PHP-FPM, mariadb and dovecot. 
Tested using large email accounts with GiB of emails.
Have 2FA enabled using a 3rd party plugin: roundcubemail-plugin-twofactor_gauthenticator


System: Mageia 8, x86_64, Intel CPU.


$ uname -a
Linux marte 5.15.16-desktop-1.mga8 #1 SMP Thu Jan 20 16:28:36 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep roundcubemail
roundcubemail-1.5.2-1.mga8
$ systemctl status httpd.service php-fpm.service dovecot.service mysqld.service
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
     Active: active (running) since Wed 2022-01-26 10:24:27 WET; 1min 1s ago
TriggeredBy: ● httpd.socket
   Main PID: 2778 (httpd)
     Status: "Total requests: 88; Idle/Busy workers 100/0;Requests/sec: 1.49; Bytes served/sec:  28KB/sec"
      Tasks: 54 (limit: 4690)
     Memory: 35.1M
        CPU: 164ms
     CGroup: /system.slice/httpd.service
             ├─2778 /usr/sbin/httpd -DFOREGROUND
             ├─2779 /usr/sbin/httpd -DFOREGROUND
             └─2780 /usr/sbin/httpd -DFOREGROUND

jan 26 10:24:27 marte systemd[1]: Starting The Apache HTTP Server...
jan 26 10:24:27 marte systemd[1]: Started The Apache HTTP Server.

● php-fpm.service - The PHP FastCGI Process Manager
     Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled)
     Active: active (running) since Wed 2022-01-26 10:24:27 WET; 1min 2s ago
TriggeredBy: ● php-fpm.socket
   Main PID: 2833 (php-fpm)
     Status: "Processes active: 0, idle: 1, Requests: 7, slow: 0, Traffic: 0req/sec"
      Tasks: 2 (limit: 4690)
     Memory: 25.9M
        CPU: 637ms
     CGroup: /system.slice/php-fpm.service
             ├─2833 php-fpm: master process (/etc/php-fpm.conf)
             └─2837 php-fpm: pool www

jan 26 10:24:27 marte systemd[1]: Starting The PHP FastCGI Process Manager...
jan 26 10:24:27 marte php-fpm[2833]: [NOTICE] fpm is running, pid 2833
jan 26 10:24:27 marte php-fpm[2833]: [NOTICE] ready to handle connections
jan 26 10:24:27 marte systemd[1]: Started The PHP FastCGI Process Manager.
jan 26 10:24:27 marte php-fpm[2833]: [NOTICE] systemd monitor interval set to 10000ms

● dovecot.service - Dovecot IMAP/POP3 email server
     Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: disabled)
     Active: active (running) since Wed 2022-01-26 10:18:55 WET; 6min ago
TriggeredBy: ● dovecot.socket
       Docs: man:dovecot(1)
             https://doc.dovecot.org/
   Main PID: 1633 (dovecot)
     Status: "v2.3.17.1 (476cd46418) running"
      Tasks: 9 (limit: 4690)
     Memory: 38.7M
        CPU: 740ms
     CGroup: /system.slice/dovecot.service
             ├─1633 /usr/sbin/dovecot -F
             ├─1635 dovecot/anvil
             ├─1636 dovecot/log
             ├─1637 dovecot/imap-login
             ├─1638 dovecot/config
             ├─1640 dovecot/stats

Whiteboard: (none) => MGA8-64-OK

Validating. Advisory in Comment 5.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0039.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

(In reply to David Walser from comment #4)
> Fedora has issued an advisory today (January 12):
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/TPIGI7LQQIBILELWRDTJL5ZU3EZBYSYM/
> 
> The issue is fixed upstream in 1.5.2 (December 30):
> https://github.com/roundcube/roundcubemail/releases/tag/1.5.2

This is CVE-2021-46144:
https://www.debian.org/lts/security/2022/dla-2878

Summary: roundcubemail new security issues CVE-2021-4402[56] and XSS issue fixed in 1.5.2 => roundcubemail new security issues CVE-2021-4402[56] and XSS issue fixed in 1.5.2 (CVE-2021-46144)