OpenSuSE has issued an advisory today (November 4): http://lists.opensuse.org/opensuse-updates/2015-11/msg00030.html The XSS issue is in the software itself. The other issue is specific to OpenSuSE's package; I don't know if it affects ours. Reproducible: Steps to Reproduce:
This bug has been fixed by upgrading to version 1.0.7 The following packages are now in upgrades_testing: roundcubemail-1.0.7-1.mga5.src.rpm roundcubemail-1.0.7-1.mga5.noarch.rpm
Status: NEW => ASSIGNED
assigning to qa
CC: (none) => thomasAssignee: thomas => qa-bugs
MGA5-32 on AcerD620 No installation issues. Followed instructions on bug 9640 Comment 5, but getting nowhere. Created same database , user and password, checked config.inc.php file. Difference is that there is no more main.inc.php, I changed the installer allowed in the defaults.inc.php When I go to at http://localhost/roundcubemail/installer , I get error 404 Putting the line for the installer in the config.inc.php does not help.
CC: (none) => herman.viaene
The installer was removed so this package is pretty useless on it's own as it stands. Please just verify that it updates cleanly.
Above test was on a blank PC as far as roundcube is concerned. Now I first deleted 1.0.7-1 , installed the previous 1.0.6-1.1 without problems and then installed 1.0.7-1 over it, no issues. So OK then.
Whiteboard: (none) => MGA5-32-OK
Validating.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK mga5-64-okCC: (none) => sysadmin-bugs
Missing advisory.
Advisory: ---------------------------------------- The roundcubemail package has been updated to version 1.0.7, which fixes a XSS issue in drag-n-drop file uploads and other bugs. See the upstream release announcement for more details. References: https://github.com/roundcube/roundcubemail/releases/tag/1.0.7 http://lists.opensuse.org/opensuse-updates/2015-11/msg00030.html
advisory added to svn
CC: (none) => tmbWhiteboard: MGA5-32-OK mga5-64-ok => MGA5-32-OK mga5-64-ok advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0438.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
The XSS issue is apparently CVE-2015-8105 according to the Gentoo advisory: http://lwn.net/Vulnerabilities/679406/ https://security.gentoo.org/glsa/201603-03
Summary: roundcubemail new security issues fixed upstream in 1.0.7 => roundcubemail new security issues fixed upstream in 1.0.7 (CVE-2015-8105)