Bug 17085 - roundcubemail new security issues fixed upstream in 1.0.7 (CVE-2015-8105)
Summary: roundcubemail new security issues fixed upstream in 1.0.7 (CVE-2015-8105)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/663069/
Whiteboard: MGA5-32-OK mga5-64-ok advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-11-04 19:29 CET by David Walser
Modified: 2016-03-09 20:01 CET (History)
4 users (show)

See Also:
Source RPM: roundcubemail-1.0.6-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-11-04 19:29:04 CET 
OpenSuSE has issued an advisory today (November 4):
http://lists.opensuse.org/opensuse-updates/2015-11/msg00030.html

The XSS issue is in the software itself.  The other issue is specific to OpenSuSE's package; I don't know if it affects ours.

Reproducible: 

Steps to Reproduce:
Comment 1 Thomas Spuhler 2015-11-04 22:32:33 CET 
This bug has been fixed by upgrading to version 1.0.7
The following packages are now in upgrades_testing:

roundcubemail-1.0.7-1.mga5.src.rpm
roundcubemail-1.0.7-1.mga5.noarch.rpm

Status: NEW => ASSIGNED

Comment 2 Thomas Spuhler 2015-11-04 22:34:05 CET 
assigning to qa

CC: (none) => thomas
Assignee: thomas => qa-bugs

Comment 3 Herman Viaene 2015-11-06 16:07:25 CET 
MGA5-32 on AcerD620
No installation issues.
Followed instructions on bug 9640 Comment 5, but getting nowhere.
Created same database , user and password, checked config.inc.php file.
Difference is that there is no more main.inc.php, I changed the installer allowed in the defaults.inc.php
When I go to at http://localhost/roundcubemail/installer , I get error 404
Putting the line for the installer in the config.inc.php does not help.

CC: (none) => herman.viaene

Comment 4 claire robinson 2015-11-06 16:22:22 CET 
The installer was removed so this package is pretty useless on it's own as it stands.

Please just verify that it updates cleanly.
Comment 5 Herman Viaene 2015-11-06 17:02:22 CET 
Above test was on a blank PC as far as roundcube is concerned.
Now I first deleted 1.0.7-1 , installed the previous 1.0.6-1.1 without problems and then installed 1.0.7-1 over it, no issues. So OK then.

Whiteboard: (none) => MGA5-32-OK

Comment 6 claire robinson 2015-11-07 17:48:57 CET 
Validating.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK mga5-64-ok
CC: (none) => sysadmin-bugs

Comment 7 claire robinson 2015-11-07 18:04:40 CET 
Missing advisory.
Comment 8 David Walser 2015-11-07 18:53:05 CET 
Advisory:
----------------------------------------

The roundcubemail package has been updated to version 1.0.7, which fixes a
XSS issue in drag-n-drop file uploads and other bugs.  See the upstream
release announcement for more details.

References:
https://github.com/roundcube/roundcubemail/releases/tag/1.0.7
http://lists.opensuse.org/opensuse-updates/2015-11/msg00030.html
Comment 9 Thomas Backlund 2015-11-07 20:48:20 CET 
advisory added to svn

CC: (none) => tmb
Whiteboard: MGA5-32-OK mga5-64-ok => MGA5-32-OK mga5-64-ok advisory

Comment 10 Mageia Robot 2015-11-07 21:12:21 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0438.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 11 David Walser 2016-03-09 20:01:34 CET 
The XSS issue is apparently CVE-2015-8105 according to the Gentoo advisory:
http://lwn.net/Vulnerabilities/679406/
https://security.gentoo.org/glsa/201603-03

Summary: roundcubemail new security issues fixed upstream in 1.0.7 => roundcubemail new security issues fixed upstream in 1.0.7 (CVE-2015-8105)
Note You need to log in before you can comment on or make changes to this bug.