| Summary: | roundcubemail new security issue fixed in 0.7.4 (CVE-2013-1904) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, mageia, oe, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/546480/ | ||
| Whiteboard: | has_procedure mga2-64-ok MGA2-32-OK | ||
| Source RPM: | roundcubemail-0.7.3-2.mga2.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-04-06 21:37:03 CEST
David Walser
2013-04-06 21:37:20 CEST
CC:
(none) =>
mageia This is now known as CVE-2013-1904. Fedora has issued an advisory on March 29: http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101623.html URL:
(none) =>
http://lwn.net/Vulnerabilities/546480/ Updated package uploaded by Oden. Note to Oden: removing the %apply_patches macro is really not a good idea. Advisory: ======================== Updated roundcubemail package fixes security vulnerability: A local file inclusion flaw was found in the way Round Cube Webmail performed validation of the 'generic_message_footer' value provided via web user interface in certain circumstances. A remote attacker could issue a specially- crafted request that, when processed by Round Cube Webmail could allow an attacker to obtain arbitrary file on the system, accessible with the privileges of the user running Round Cube Webmail client (CVE-2013-1904). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1904 http://sourceforge.net/news/?group_id=139281&id=310497 http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.7.4/ http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101623.html ======================== Updated packages in core/updates_testing: ======================== roundcubemail-0.7.4-1.1.mga2 from roundcubemail-0.7.4-1.1.mga2.src.rpm CC:
(none) =>
oe (In reply to David Walser from comment #2) > Note to Oden: removing the %apply_patches macro is really not a good idea. I know, but I think it will leave backups that otherwise will be packaged, no? (In reply to Oden Eriksson from comment #3) > (In reply to David Walser from comment #2) > > > Note to Oden: removing the %apply_patches macro is really not a good idea. > > I know, but I think it will leave backups that otherwise will be packaged, > no? If it does, that should be fixed in the %files list.
David Walser
2013-04-25 21:48:31 CEST
Severity:
normal =>
major No information how to configure this, it's not user friendly, plus the INSTALL file has been removed from /usr/share/doc/roundcubemail which the README refers you to. Could do with a README.urpmi. Edited /etc/roundcubemail/main.inc.php and configured imap/smtp server and enabled the installer. Created a mysql database & user with phpmyadmin. DB: roundcubemail User: roundcube Pass: pass These are just the lazy default values found in /etc/roundcubemail/db.inc/php Then configured at http://localhost/roundcubemail/installer In step 3 of the installer it shows an error.. /var/log/roundcubemail/: NOT OK(not writeable for the webserver) # ll -d /var/log/roundcubemail drwxr-xr-x 2 root root 4096 Oct 8 2012 /var/log/roundcubemail/ Clicked to initialise the database. After this, logged in at http://localhost/roundcubemail and everything works as expected with the exception of the logs. Is that something you'd like to correct here David? Whiteboard:
(none) =>
has_procedure mga2-64-ok? feedback (In reply to claire robinson from comment #5) > Is that something you'd like to correct here David? I'm not the maintainer (Damien is), but no, not at this time. Since Oden has already pushed this for MBS, I'd really like to get this released. Also, I imagine these issues probably affect the Mageia 3 package too, and they won't be able to be corrected there until after the release, so it'll be a while (it takes long enough just to get this package updated). As long as there's no regressions, I'd like to get this out, and then hopefully these other issues can be corrected before the next time we have to update it. Bug 9915 & bug 9916 created. Testing complete mga2 64 Whiteboard:
has_procedure mga2-64-ok? feedback =>
has_procedure mga2-64-ok Modification to comment 5 for future testers. The db name/password are in /etc/roundcubemail/db.inc.php Testing complete on Mageia 2 i586. Could someone from the sysadmin team push the srpm roundcubemail-0.7.4-1.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated roundcubemail package fixes security vulnerability: A local file inclusion flaw was found in the way Round Cube Webmail performed validation of the 'generic_message_footer' value provided via web user interface in certain circumstances. A remote attacker could issue a specially- crafted request that, when processed by Round Cube Webmail could allow an attacker to obtain arbitrary file on the system, accessible with the privileges of the user running Round Cube Webmail client (CVE-2013-1904). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1904 http://sourceforge.net/news/?group_id=139281&id=310497 http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.7.4/ http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101623.html https://bugs.mageia.org/show_bug.cgi?id=9640 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0128 Status:
NEW =>
RESOLVED |