Upstream has released version 1.0.8 on December 23, fixing a security issue: http://lists.roundcube.net/pipermail/users/2015-December/011226.html Updated package uploaded for Mageia 5 by Thomas. Advisory: ---------------------------------------- The roundcubemail package has been updated to version 1.0.8, which fixes a path traversal issue and other bugs. See the upstream release announcement for more details. References: https://github.com/roundcube/roundcubemail/releases/tag/1.0.8 http://lists.roundcube.net/pipermail/users/2015-December/011226.html ---------------------------------------- Updated packages in core/updates_testing: ---------------------------------------- roundcubemail-1.0.8-1.mga5 from roundcubemail-1.0.8-1.mga5.src.rpm Reproducible: Steps to Reproduce:
CC: (none) => thomas
MGA5-32 Xfce on AcerD620 No installation issues. As per bug17085 no further testing possible, so OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0016.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Apparently this received CVE-2015-8770. Thomas, according to the Arch advisory, you need to update Cauldron to 1.2 beta 2 to fix this.
URL: (none) => http://lwn.net/Vulnerabilities/672317/Summary: roundcubemail new security issue fixed upstream in 1.0.8 => roundcubemail new security issue fixed upstream in 1.0.8 (CVE-2015-8770)
I will update it as soon as there is a new source code available
(In reply to Thomas Spuhler from comment #4) > I will update it as soon as there is a new source code available OK, yeah I see they haven't made a new release yet on that branch. The commit that fixes it in 1.2 beta is here: https://github.com/roundcube/roundcubemail/commit/10e5192a2b1bc90ec137f5e69d0aa072c1210d6d