Upstream has released version 0.9.3:
which fixes two XSS issues. CVEs have been requested:
I don't know if 0.7.x (Mageia 2) is affected.
Steps to Reproduce:
Oden fixed this in Cauldron this morning in roundcubemail-0.9.3-1.mga4.
Also note that there are two outstanding bug reports on this package:
Bug 9915 and Bug 9916
A CVE has been assigned for this (CVE-2013-5645):
roundcubemail new security issues fixed in 0.9.3 =>
roundcubemail new security issues fixed in 0.9.3 (CVE-2013-5645)
roundcubemail-0.7.4-1.2.mga2 and roundcubemail-0.9.3-1.mga3 has been submitted.
Has anything been done abut Bug 9915 or Bug 9916?
(In reply to David Walser from comment #5)
> Has anything been done abut Bug 9915 or Bug 9916?
Looking at the SVN commits, I see that nothing has been done on those. Hopefully we can get those addressed at some point.
Advisory for this update to come.
Updated roundcubemail package fixes security vulnerability:
XSS vulnerabilities when saving HTML signatures and when editing a message "as
new" or draft in roundcubemail before 0.9.3 (CVE-2013-5645).
Updated packages in core/updates_testing:
Fedora has issued an advisory for this on August 23:
Advisory 11069.adv uploaded to svn.
I'll test this shortly.
I can't recreate the poc in Mageia 2.
Any point in pushing the update for it?
In Mageia 3, running the installer fails, when it's trying to generate
the config files with ...
main.inc.php: NOT OK(Unable to read file. Did you create the config files?)
db.inc.php: NOT OK(Unable to read file. Did you create the config files?)
To fix the problem, I had to run ...
ln -s /etc/roundcubemail/ /usr/share/roundcubemail/config
In Mageia 3, the poc works.
To create it, Select the Settings/Identities, and select the user, then paste
into the signature field. Once it's saved, hovering the mouse over the asd part
shows the problem.
I'll test the update on Mageia 3 shortly.
Testing complete on Mageia 3 x86_64
I've also added a comment to bug 9915 about the symlink problem.
has_procedure mga2too =>
has_procedure mga2too MGA3-64-OK MGA3-32-OK
Testing complete on Mageia 2 i586 and x86_64.
Although no change noticed, as the poc doesn't work on Mageia 2, no
Someone from the sysadmin team please push 11069.adv to updates.
has_procedure mga2too MGA3-64-OK MGA3-32-OK =>
has_procedure mga2too MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OKCC: