OpenSuSE has issued an advisory today (June 29): http://lists.opensuse.org/opensuse-updates/2015-06/msg00062.html We should also update Mageia 5 to 1.0.6. Reproducible: Steps to Reproduce:
This bug is now fixed and the following packages are in mga5 updates_testing roundcubemail-1.0.6-1.mga5.src.rpm roundcubemail-1.0.6-1.mga5.noarch.rpm Assigning it to QA
Status: NEW => ASSIGNEDCC: (none) => thomasAssignee: thomas => qa-bugs
Thanks Thomas! Advisory: ---------------------------------------- The roundcubemail package has been updated to version 1.0.6, which contains a couple of security improvements and several bug fixes. See the upstream release announcement for more details. References: https://github.com/roundcube/roundcubemail/releases/tag/1.0.6 http://lists.opensuse.org/opensuse-updates/2015-06/msg00062.html
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=9640#c5
Whiteboard: (none) => has_procedure
Advisory committed to svn.
CC: (none) => davidwhodginsWhiteboard: has_procedure => has_procedure advisory
CVE request: http://openwall.com/lists/oss-security/2015/07/06/10
Now we have some CVEs. The DBMail driver issue has CVEs noted on the upstream bug: http://trac.roundcube.net/ticket/1490261 The CVE request gained CVE assignments, including one for the vCard issue: http://openwall.com/lists/oss-security/2015/07/07/2 Please update the advisory in SVN. Advisory: ======================== Updated roundcubemail packages fix security vulnerabilities: Multiple security issues in the DBMail driver for the password plugin, including buffer overflows (CVE-2015-2181) and the ability for a remote attacker to execute arbitrary shell commands as root (CVE-2015-2180). An authenticated user can download arbitrary files from the web server that the web server process has read access to, by uploading a vCard with a specially crafted POST (CVE-2015-5382). The roundcubemail package has been updated to version 1.0.6, fixing these issues and several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2180 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2181 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5382 http://openwall.com/lists/oss-security/2015/07/07/2 http://trac.roundcube.net/ticket/1490261 https://github.com/roundcube/roundcubemail/releases/tag/1.0.6 http://lists.opensuse.org/opensuse-updates/2015-06/msg00062.html
Whiteboard: has_procedure advisory => has_procedure
Summary: roundcubemail new security improvements in 1.0.6 => roundcubemail new security issues CVE-2015-218[01] and CVE-2015-5382
Updated advisory committed to svn.
Whiteboard: has_procedure => has_procedure advisory
Another LWN entry, I've asked them to merge them: http://lwn.net/Vulnerabilities/650994/
LWN reference for CVE-2015-538[1-3]: http://lwn.net/Vulnerabilities/652800/ Fedora has issued an advisory for this on July 13: https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162461.html
Note the procedure is shown at https://wiki.mageia.org/en/QA_procedure:Roundcubemail which can be found by clicking on the wiki link for the update in madb.
Unfortunately, that procedure is outdated. in main.inc.php you have to edit following line (line 159) to enable the setup via browser: There is no main.inc.php anymore. it's and the db.inc.php are combined into config.inc.php The syntax also changed slightly. The developers are running and leave the doc people far behind. There seems to be a problem with the DB (at least on my box); I am trying to fix it. Let me know if you see the same.
Let me know if you experience the problem of showing a lot of DB errors in the log and on the WEBinterface. It maybe that my server just didn't do the upgrade right from mga4 to mga5 or if there is a bug. Anyway I have a fix and if needed could be added to the Errata.
I could never get roundcubemail 1.06 installed. 1.05 installed. This is the message when I try to install 1.06. Something wrong in dependencies I think. ---- Sorry, the following package cannot be selected: - roundcubemail-1.0.6-1.mga5.noarch (due to unsatisfied pear(Console/CommandLine.php)) -----
CC: (none) => brtians1
php-pear-Console_CommandLine would provide it, but we don't package it. per INSTALL in the source These are the pear requirements: * PEAR packages distributed with Roundcube or external: - Mail_Mime 1.8.1 or newer - Mail_mimeDecode 1.5.5 or newer - Net_SMTP (latest from https://github.com/pear/Net_SMTP/) - Net_IDNA2 0.1.1 or newer - Auth_SASL 1.0.6 or newer - Net_Sieve 1.3.2 or newer (for managesieve plugin) - Crypt_GPG 1.2.0 or newer (for enigma plugin) So let me ask on the mailing list. It could be just one of those auto-requires
Trying this for Mageia 5 x64. Help! I installed roundcubemail-1.0.5-4.mga5 & all its dependancies. Then followed both procedures referred to + Comment 11: https://wiki.mageia.org/en/QA_procedure:Roundcubemail https://bugs.mageia.org/show_bug.cgi?id=9640#c5 Stuck on the installation which others seem to have done without problems. Mainly a question of what to put in various lines of the config file: /etc/roundcubemail/config.inc.php (and at the same time update the QA_procedure:Roundcubemail instructions). OK $config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail'; ? $config['default_host'] = 'localhost'; ? $config['smtp_server'] = 'smtp.free.fr'; I already fiddled with this - but was it necessary? If so, I imagine these two might be needed also: $config['smtp_user'] = ''; $config['smtp_pass'] = ''; Are you supposed to link Roundcube mail to your external e-mail service? Why is there all this stuff for outgoing SMTP, and not the equivalent for incoming POP3? I see no reference in the config file to 'enabling the installer' as mentioned by Claire (but not the procedure). BTAIM going to: http://localhost/roundcubemail/installer goes nowhere - Error 404, not found. Going to http://localhost/roundcubemail gives me "DATABASE ERROR: CONNECTION FAILED!", despite MariaDB having been set up as per both_procedures: DBname roundcubemail; DBuser roundcube; DBpassword pass; all permissions granted & flushed. Probably due to not having gone through the installer.
CC: (none) => lewyssmith
(In reply to Thomas Spuhler from comment #14) > php-pear-Console_CommandLine would provide it, but we don't package it. > per INSTALL in the source > These are the pear requirements: > * PEAR packages distributed with Roundcube or external: > - Mail_Mime 1.8.1 or newer > - Mail_mimeDecode 1.5.5 or newer > - Net_SMTP (latest from https://github.com/pear/Net_SMTP/) > - Net_IDNA2 0.1.1 or newer > - Auth_SASL 1.0.6 or newer > - Net_Sieve 1.3.2 or newer (for managesieve plugin) > - Crypt_GPG 1.2.0 or newer (for enigma plugin) > > So let me ask on the mailing list. It could be just one of those > auto-requires Just to give you an update on the require Console_CommandLine. Upstream claims **** Console/CommandLine is a dependency of Crypt_GPG package, for Roundcube 1.0 and 1.1 you can ignore it, because Enigma plugin should not be used, even removed from the package (and this is the only part that requires Crypt_GPG) **** which is just not through. The requirement is in the code of roundcubemail and our buildserver turns that into an autorequires. It seems to be safe to just add an exception as the feature of enigmail hasn't been implemented in this version.
(In reply to Lewis Smith from comment #15) > Trying this for Mageia 5 x64. Help! > > I installed roundcubemail-1.0.5-4.mga5 & all its dependancies. Then followed > both procedures referred to + Comment 11: > https://wiki.mageia.org/en/QA_procedure:Roundcubemail > https://bugs.mageia.org/show_bug.cgi?id=9640#c5 > > Stuck on the installation which others seem to have done without problems. > Mainly a question of what to put in various lines of the config file: > /etc/roundcubemail/config.inc.php > (and at the same time update the QA_procedure:Roundcubemail instructions). > > OK $config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail'; > > ? $config['default_host'] = 'localhost'; > > ? $config['smtp_server'] = 'smtp.free.fr'; > I already fiddled with this - but was it necessary? If so, I imagine these > two might be needed also: > $config['smtp_user'] = ''; > $config['smtp_pass'] = ''; > > Are you supposed to link Roundcube mail to your external e-mail service? > Why is there all this stuff for outgoing SMTP, and not the equivalent for > incoming POP3? There is, the imap server section > > I see no reference in the config file to 'enabling the installer' as > mentioned by Claire (but not the procedure). BTAIM going to: > http://localhost/roundcubemail/installer > goes nowhere - Error 404, not found. > > Going to http://localhost/roundcubemail gives me "DATABASE ERROR: CONNECTION > FAILED!", despite MariaDB having been set up as per both_procedures: DBname > roundcubemail; DBuser roundcube; DBpassword pass; all permissions granted & > flushed. Probably due to not having gone through the installer. I am using this with the kolab stack and it configures the roundcubemail. I am using 389-ds as the ldap server. I have this in my /etc/roundcubemail/config.inc.php file (aargau.btspuhler.com is my mailserver): <?php $config = array(); $config['force_https'] = 8443; $config['db_dsnw'] = 'mysqli://roundcube:thomas@localhost/roundcube'; $config['session_domain'] = ''; $config['des_key'] = "63APEfpiSam193V4tP1ZgQeo"; $config['username_domain'] = 'btspuhler.com'; $config['use_secure_urls'] = true; $config['assets_path'] = '/roundcubemail/assets/'; $config['assets_dir'] = '/usr/share/roundcubemail/public_html/assets/'; $config['mail_domain'] = ''; // IMAP Server Settings $config['default_host'] = 'tls://aargau.btspuhler.com'; $config['default_port'] = 143; $config['imap_delimiter'] = '/'; $config['imap_force_lsub'] = true; // Caching and storage settings $config['imap_cache'] = 'db'; $config['imap_cache_ttl'] = '10d'; $config['messages_cache'] = 'db'; $config['message_cache_ttl'] = '10d'; $config['session_storage'] = 'db'; // SMTP Server Settings $config['smtp_server'] = 'tls://aargau.btspuhler.com'; $config['smtp_port'] = 587; $config['smtp_user'] = '%u'; $config['smtp_pass'] = '%p'; $config['smtp_helo_host'] = $_SERVER["HTTP_HOST"]; // LDAP Settings $config['ldap_cache'] = 'db'; $config['ldap_cache_ttl'] = '1h'; Sorry for not being of much help, but I know mga folks are using it. Maybe you should ask at the dev mailing list.
I notice from the Updates Testing list that Roundcubemail is described as *an IMAP client*. Which explains the lack of POP3 in its config file. I think I have been flogging a dead horse here: I do not have an IMAP account, just POP3. So I back out. Additionally, from Comment 13: " Sorry, the following package cannot be selected: - roundcubemail-1.0.6-1.mga5.noarch (due to unsatisfied pear(Console/CommandLine.php))" This is
I notice from the Updates Testing list that Roundcubemail is described as *an IMAP client*. Which explains the lack of POP3 in its config file. I think I have been flogging a dead horse here: I do not have an IMAP account, just POP3. So I back out. But thanks for Thomas's info in Comment 17 anyway. ----------------------------- Additionally, from Comment 13: " Sorry, the following package cannot be selected: - roundcubemail-1.0.6-1.mga5.noarch (due to unsatisfied pear(Console/CommandLine.php))" This is a real problem if you have roundcubemail installed & want to try *any* update. The Updates Testing list is displayed after that warning message, everything selected *except* roundcubemail. When you click 'Select everything' to DEselect everything, the message is displayed & everything (except roundcubemail) remains ticked. You have to individually deselect every package you do *not* want, to leave selected just those you want. *Very* tedious, so please crack this one.
Adding feedback until the invalid dependency is properly excluded.
Whiteboard: has_procedure advisory => has_procedure advisory feedback
This dependency problem is now resolved by adding an exception. The following packages are now in updates_testing: roundcubemail-1.0.6-1.1.mga5.src.rpm roundcubemail-1.0.6-1.1.mga5.noarch.rpm
Whiteboard: has_procedure advisory feedback => has_procedure advisory
Removing advisory tag as the package version will need to be updated in the advisory in SVN.
Adding feedback marker for now. The index.php in /usr/share/roundcubemail makes reference to ./installer/index.php as the installer path, which is as expected. The installer directory is completely missing though. # ll /usr/share/roundcubemail/ total 44 drwxr-xr-x 2 root root 4096 Sep 18 13:42 bin/ -rw-r--r-- 1 root root 381 Jan 24 2015 composer.json-dist lrwxrwxrwx 1 root root 26 Feb 20 2015 config -> ../../../etc/roundcubemail/ -rw-r--r-- 1 root root 12962 Jan 24 2015 index.php lrwxrwxrwx 1 root root 30 Feb 20 2015 logs -> ../../../var/log/roundcubemail/ drwxr-xr-x 52 root root 4096 Sep 18 13:42 plugins/ drwxr-xr-x 8 root root 4096 Sep 18 13:42 program/ -rw-r--r-- 1 root root 3833 Jan 24 2015 README.md -rw-r--r-- 1 root root 26 Jan 24 2015 robots.txt drwxr-xr-x 5 root root 4096 Sep 18 13:42 skins/ lrwxrwxrwx 1 root root 30 Feb 20 2015 temp -> ../../../var/lib/roundcubemail/ This means even after adding $config['enable_installer'] = true; to /etc/roundcubemail/config.inc.php it is inaccessible and, as it stands, the package is uninstallable on it's own. # urpmf roundcubemail | grep installer | wc -l 0
Whiteboard: has_procedure => has_procedure feedback
From the spec.. rm -rf %{buildroot}%{roundcube}/installer
It is a know issue that the installer doesn't work:https://bugs.mageia.org/show_bug.cgi?id=13056 I removed it April 9,2014 during the upgrade from vers. 0.95 to 1.0.0 probably because it didn't work But roundcube is installable, initial install and update. Nothing has changed in this regard with the update. There is an error message, but no regression. 75/82: roundcubemail ######################################################################################################### ERROR: Error connecting to database: SQLSTATE[HY000] [2002] No such file or directory What we may should to is to remove the deps to kolab packages, but again no regression. That was introduce also April 9,2014
Whiteboard: has_procedure feedback => has_procedure
Whether it's a regression or not is only part of the decision to push an update - it's more important to decide whether or not the issues can be fixed *with* this update. This is the first update since it was broken. As it seems the known bug is quite stale, over a year old, and this is a security update, I guess we can push this and just test that the package itself updates cleanly this time around; as a broken package. I don't understand why the installer would be removed in the first place. Validating. Advisory updated with new information. Please push to 5 updates Thanks.
Keywords: (none) => validated_updateWhiteboard: has_procedure => has_procedure advisory mga5-64-okCC: (none) => sysadmin-bugs
(In reply to claire robinson from comment #26) > Whether it's a regression or not is only part of the decision to push an > update - it's more important to decide whether or not the issues can be > fixed *with* this update. This is the first update since it was broken. Hmmm. the installer was removed April 9,2014 vers. 0.95 to 1.0.0, sop we had several updates since. I think it's more important to fix the security issue right now. Roundcubemail has to be installed on a server and the sysadmins usually know how to do the configuration manually. I will check if the installer now works and fix https://bugs.mageia.org/show_bug.cgi?id=13056 and then if it works add it. > > As it seems the known bug is quite stale, over a year old, and this is a > security update, I guess we can push this and just test that the package > itself updates cleanly this time around; as a broken package. > > I don't understand why the installer would be removed in the first place. > > Validating. Advisory updated with new information. > > Please push to 5 updates > > Thanks.
I actually found in file roundcubemail-README.mageia: WARNING: when upgrading from <= 0.9.5 the old configuration files named main.inc.php and db.inc.php are now deprecated and should be replaced with one single config.inc.php file. Run the ./bin/update.sh script to get this conversion done or manually merge the files. NOTE: the new config.inc.php should only contain options that differ from the ones listed in defaults.inc.php. The Roundcube installer is not included in the Mageia package, as its method of operation is not compatible with distribution packaging. Thomas Spuhler 2014-04-08
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0400.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
CC: lewyssmith => (none)