Upstream has issued an advisory on October 21: http://roundcube.net/news/2013/10/21/security-updates-095-and-087/ Guillaume Rousse has requested a freeze push to update this for Cauldron. Reproducible: Steps to Reproduce:
CC: (none) => guillomovitchSummary: roundcubemail new security issues fixed in 0.9.5 and 0.8.7 => roundcubemail new security issue fixed in 0.9.5 and 0.8.7 (CVE-2013-6172)Whiteboard: (none) => MGA2TOO
Advisories for this have been issued by Debian and Fedora: http://www.debian.org/security/2013/dsa-2787 https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119655.html
URL: (none) => http://lwn.net/Vulnerabilities/571975/
roundcubemail-0.9.5-1.mga3 and roundcubemail-0.7.4-1.3.mga2 has been submitted which fixes this.
CC: (none) => oe
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:263/
Thanks Oden! Advisory: ======================== Updated roundcubemail package fixes security vulnerability: It was discovered that roundcube does not properly sanitize the _session parameter in steps/utils/save_pref.inc during saving preferences. The vulnerability can be exploited to overwrite configuration settings and subsequently allowing random file access, manipulated SQL queries and even code execution (CVE-2013-6172). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6172 http://roundcube.net/news/2013/10/21/security-updates-095-and-087/ http://www.debian.org/security/2013/dsa-2787 http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:263/ ======================== Updated packages in core/updates_testing: ======================== roundcubemail-0.7.4-1.3.mga2 roundcubemail-0.9.5-1.mga3 from SRPMS: roundcubemail-0.7.4-1.3.mga2.src.rpm roundcubemail-0.9.5-1.mga3.src.rpm
Assignee: bugsquad => qa-bugs
Procedure: https://bugs.mageia.org/show_bug.cgi?id=9640#c5
Whiteboard: MGA2TOO => MGA2TOO has_procedure
Testing complete mga2 32 Same issues as bug 9640 comment 5 but nothing new.
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga2-32-ok
Severity: normal => critical
Testing complete mga2 64
Whiteboard: MGA2TOO has_procedure mga2-32-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok
Mga3 64 On step 2 of the installer it can't create the config files, continuing with the installer fails saying it can't find the config files and so database settings etc too. See last update for this also. https://bugs.mageia.org/show_bug.cgi?id=11069#c11 This package is generally quite poor in mga2 and mga3. I'll create some bugs for it later. Using Daves solution ln -s /etc/roundcubemail/ /usr/share/roundcubemail/config It then finds the config files bug shows this error below about the logs same as mga2 but also bizarrely one for /home/iurt.. --- Check if directories are writable Roundcube may need to write/save files into these directories /home/iurt/rpmbuild/tmp/: NOT OK(not writeable for the webserver) /var/log/roundcubemail/: NOT OK(not writeable for the webserver) --- Then trying to initialise the database it says.. Cannot read the schema file: /usr/share/roundcubemail/SQL/mysql.initial.sql Giving up for now, I've run out of time today.
CC: (none) => davidwhodginsWhiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok advisory
Old issues still remain with this package and mga3 is impossible to use so just ensuring the update installs ok as we have too many other updates demanding our attention to spend more time on this one.
Testing complete mga3 32 & 64 (just that the update installs ok) Validating the update. Advisory previously uploaded. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok advisory => MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0325.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED