A CVE has been assigned for a security issue fixed upstream in roundcubemail: http://openwall.com/lists/oss-security/2016/12/08/17 The issue is fixed in 1.2.3, for which Cauldron has been updated. Patched package uploaded for Mageia 5. Advisory: ======================== Updated roundcubemail package fixes security vulnerability: Users can execute commands on the server by writing e-mails, due to insufficient sanitation of the from field when calling PHP's mail() function (CVE-2016-9920). Note that only roundcubemail installations that don't have an SMTP server configured for mail delivery are affected. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9920 https://blog.ripstech.com/2016/roundcube-command-execution-via-email/ http://openwall.com/lists/oss-security/2016/12/08/17 ======================== Updated packages in core/updates_testing: ======================== roundcubemail-1.0.9-1.1.mga5 from roundcubemail-1.0.9-1.1.mga5.src.rpm
MGA5-32 on Acer D620 Xfce No installation issues. Still hitting same "Error 404" problem as in previous updates (bug 18257), so OK as is.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
CC: (none) => lewyssmithWhiteboard: MGA5-32-OK => MGA5-32-OK advisory
Testing M5 x64 All previous info got nowhere, so this is basically (as recommended) just an install + update run-through. BEFORE update: Installed from normal repos: roundcubemail-1.0.9-1.mga5 before I had set up a database - which threw an error "grep: /etc/php.d/99_apc.ini: No such file or directory ERROR: Error connecting to database: SQLSTATE[HY000] [1045] Access denied for user 'roundcube'@'localhost' (using password: YES)"; which I then did as per the Wiki: MariaDB [(none)]> CREATE USER roundcube IDENTIFIED BY 'pass'; MariaDB [(none)]> CREATE DATABASE roundcubemail; MariaDB [(none)]> GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY 'pass'; MariaDB [(none)]> FLUSH PRIVILEGES; MariaDB [(none)]> exit Using the example values means that /etc/roundcubemail/config.inc.php already has the correct database line: $config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail'; http://localhost/roundcubemail/ yielded a Roundcube page with "DATABASE ERROR: CONNECTION FAILED!" AFTER update to: roundcubemail-1.0.9-1.1.mga5 Two config file confirmations during the update (accepted both new). http://localhost/roundcubemail/ gave the same error as before. OKing this because the update went OK. But it would be nice to find a way to have this thing visibly working. Validating at the same time.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0430.html
Status: NEW => RESOLVEDResolution: (none) => FIXED