Upstream has released version 1.0.9 on April 19: https://github.com/roundcube/roundcubemail/releases/tag/1.0.9 They noted in the announcement that it fixes CVE-2015-2181. Additional CVEs were requested for the other security fixes, and CVE-2015-8864 and CVE-2016-4069 were assigned: http://openwall.com/lists/oss-security/2016/04/23/4 Note the CVE-2016-4068 issue also, which has not yet been fixed.
I got an e-mail about new maintenance releases fixing bugs. It hasn't caught my attention because the word security was missing. I will now do the upgrade. Thanks David
Status: NEW => ASSIGNED
This bug has been resolved by upgrading to vers. 1.0.9 The following packages are now in updates_testing: roundcubemail-1.0.9-1.mga5.src.rpm roundcubemail-1.0.9-1.mga5.noarch.rpm Assigning to to qa
Assignee: thomas => qa-bugs
Applies to cauldron as well. There's a newer 1.2 RC out but I didn't check what it fixes.
CC: (none) => oe
I am working on upgrading to the RC1. BTW, 1.2 should be released soon.
CC: (none) => thomas
Advisory: ======================== Updated roundcubemail packages fix security vulnerabilities: More security issues in the DBMail driver for the password plugin, related to CVE-2015-2181. XSS issue in SVG images handling (CVE-2015-8864). Lack of protection for attachment download URLs against CSRF (CVE-2016-4069). The roundcubemail package has been updated to version 1.0.9, fixing these issues and several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4069 http://openwall.com/lists/oss-security/2016/04/23/4 https://github.com/roundcube/roundcubemail/releases/tag/1.0.9 http://lists.roundcube.net/pipermail/users/2016-April/011299.html
Trying to test this on x86_64 but may have to yield. Before update I could not get to the installer stage in the browser. Background: $ mysql -u root -p Enter password: MariaDB [(none)]> CREATE USER roundcube IDENTIFIED BY 'mailman'; MariaDB [(none)]> CREATE DATABASE roundcubemail; MariaDB [(none)]> GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY 'mailman'; MariaDB [(none)]> FLUSH PRIVILEGES; MariaDB [(none)]> EXIT; Bye Made the necessary changes in /etc/roundcubemail/config.inc.php @firefox http:/localhost/roundcubemail/installer/ Error 404 # mysql -u root -p MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | boojum | | cacti | | information_schema | | moodle | | mysql | | performance_schema | | roundcubemail | | test | +--------------------+ Where have I gone wrong?
CC: (none) => tarazed25
Without the installer stage it goes straight to the roundcube interface page and presents: DATABASE ERROR: CONNECTION FAILED Unable to connect to the database! None of the menu buttons respond, not even logout.
In a somewhat contentious decision, the installer for roundcubemail was removed, making it a bit useless as a standalone package. See: https://bugs.mageia.org/show_bug.cgi?id=16249 Please just ensure it updates cleanly.
Advisory uploaded.
Whiteboard: (none) => has_procedure advisory
Thanks for the information Claire. Installed the update OK. # urpmi roundcubemail A requested package cannot be installed: roundcubemail-1.0.8-1.mga5.noarch (in order to keep roundcubemail-1.0.9-1.mga5.noarch) Pointing the browser at localhost/roundcubemail presents the interface as before with the 404 error. So I guess we give this the OK and validate it.
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0155.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/685881/