Bug 7246

Fixed in Cauldron by Damien.  Mageia 2 pending.

Version: Cauldron => 2
Whiteboard: MGA2TOO => (none)

Mageia 2 update in progress.

Damien updated it to 0.7.3, now it just needs the patch:
http://pkgs.fedoraproject.org/cgit/roundcubemail.git/plain/roundcubemail-0.7.3-xss-sig.patch?h=f17&id=ac0541ca40878a5daf0fcae3457c41239b308462

Advisory:
-------------
This update of roundcubemail is a bugfix and security (XSS signature) update.

Packages:
-------------
roundcubemail-0.7.3-1.mga2.src.rpm

How to test:
-------------
- Install roundcube in Mageia 2.
- Configure it.
- Install the update package and check it's still working as expected.
FYI: 
- here is the ChangeLog: http://trac.roundcube.net/wiki/Changelog#Release0.7.3
- here is the XSS patch: https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32

Status: NEW => ASSIGNED
Assignee: mageia => qa-bugs
Summary: roundcubemail new security issues fixed in 0.8.1 => [Update Request] roundcubemail - Bugfix and Security issues fixed in 0.7.3 + patch
Source RPM: roundcubemail-0.7.2-1.mga2.src.rpm => roundcubemail-0.7.3-2.mga2.src.rpm

Thanks Damien!

Just to flesh out the advisory, this fixes two CVEs:

Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in
Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web
script or HTML by using "javascript:" in an href attribute in the body of
an HTML-formatted email (CVE-2012-3508).

Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and
earlier allows remote attackers to inject arbitrary web script or HTML via
the signature in an email (CVE-2012-4668).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4668
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085777.html
http://trac.roundcube.net/wiki/Changelog#Release0.7.3

Status: ASSIGNED => NEW

tested on i586 and x86_64. Could not reproduce XSS vulnerability neither in previous version of Core-Updates nor in Updates_testing.

No regression detected.

Updates validated.


Advisory
========
Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in
Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web
script or HTML by using "javascript:" in an href attribute in the body of
an HTML-formatted email (CVE-2012-3508).

Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and
earlier allows remote attackers to inject arbitrary web script or HTML via
the signature in an email (CVE-2012-4668).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4668
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085777.html
http://trac.roundcube.net/wiki/Changelog#Release0.7.3

src rpm: roundcubemail-0.7.3-1.mga2.src.rpm


Could someone of sysadmin team push to Core_Updates. Thanks!

Keywords: (none) => validated_update
CC: (none) => marc.lattemann, sysadmin-bugs
Whiteboard: (none) => MGA2-32-OK, MGA2-64-OK

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0292

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

I'm confused here since CVE-2012-3508 and CVE-2012-4668 has not been fixed yet.

https://bugzilla.redhat.com/show_bug.cgi?id=849615#c7

However after researching this today, all issues has been fixed in 0.8.6.

CC: (none) => oe

That comment doesn't say it's not fixed.  I don't know why that particular bug is still open, but this bug is the Fedora tracker for those issues:
https://bugzilla.redhat.com/show_bug.cgi?id=849616

It was closed when they issued the same update that we did.