Upstream has released version 0.9.3: http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3 which fixes two XSS issues. CVEs have been requested: http://openwall.com/lists/oss-security/2013/08/23/13 I don't know if 0.7.x (Mageia 2) is affected. Reproducible: Steps to Reproduce:
Oden fixed this in Cauldron this morning in roundcubemail-0.9.3-1.mga4.
Also note that there are two outstanding bug reports on this package: Bug 9915 and Bug 9916
A CVE has been assigned for this (CVE-2013-5645): http://openwall.com/lists/oss-security/2013/08/28/4
Summary: roundcubemail new security issues fixed in 0.9.3 => roundcubemail new security issues fixed in 0.9.3 (CVE-2013-5645)
roundcubemail-0.7.4-1.2.mga2 and roundcubemail-0.9.3-1.mga3 has been submitted.
CC: (none) => oe
Has anything been done abut Bug 9915 or Bug 9916?
(In reply to David Walser from comment #5) > Has anything been done abut Bug 9915 or Bug 9916? Looking at the SVN commits, I see that nothing has been done on those. Hopefully we can get those addressed at some point. Advisory for this update to come.
Advisory: ======================== Updated roundcubemail package fixes security vulnerability: XSS vulnerabilities when saving HTML signatures and when editing a message "as new" or draft in roundcubemail before 0.9.3 (CVE-2013-5645). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5645 http://trac.roundcube.net/ticket/1489251 http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3 ======================== Updated packages in core/updates_testing: ======================== roundcubemail-0.7.4-1.2.mga2 roundcubemail-0.9.3-1.mga3 from SRPMS: roundcubemail-0.7.4-1.2.mga2.src.rpm roundcubemail-0.9.3-1.mga3.src.rpm
CC: (none) => mageiaAssignee: mageia => qa-bugs
Procedure: https://bugs.mageia.org/show_bug.cgi?id=9640#c5
Whiteboard: (none) => has_procedure
Fedora has issued an advisory for this on August 23: https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114854.html
URL: (none) => http://lwn.net/Vulnerabilities/565276/
CC: (none) => davidwhodginsWhiteboard: has_procedure => has_procedure mga2too
Advisory 11069.adv uploaded to svn. I'll test this shortly.
I can't recreate the poc in Mageia 2. Any point in pushing the update for it? In Mageia 3, running the installer fails, when it's trying to generate the config files with ... main.inc.php: NOT OK(Unable to read file. Did you create the config files?) db.inc.php: NOT OK(Unable to read file. Did you create the config files?) To fix the problem, I had to run ... ln -s /etc/roundcubemail/ /usr/share/roundcubemail/config In Mageia 3, the poc works. To create it, Select the Settings/Identities, and select the user, then paste test<b onmouseover="alert(document.cookie)">asd</b> into the signature field. Once it's saved, hovering the mouse over the asd part shows the problem. I'll test the update on Mageia 3 shortly.
Testing complete on Mageia 3 x86_64 I've also added a comment to bug 9915 about the symlink problem.
Whiteboard: has_procedure mga2too => has_procedure mga2too MGA3-64-OK MGA3-32-OK
Testing complete on Mageia 2 i586 and x86_64. Although no change noticed, as the poc doesn't work on Mageia 2, no regressions found. Someone from the sysadmin team please push 11069.adv to updates.
Keywords: (none) => validated_updateWhiteboard: has_procedure mga2too MGA3-64-OK MGA3-32-OK => has_procedure mga2too MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0270.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED