A security issue in roundcubemail fixed in 1.2.4 has been announced: http://openwall.com/lists/oss-security/2017/03/12/2 I'm not sure if Mageia 5 is affected, but the upstream commits that fixed the issue are linked in the message above.
Assigning to all packagers collectively, since there is no registered maintainer for this package
Status comment: (none) => Not sure whether Mga 5's roundcubemail-1.0.9 is affected, needs to be checked.CC: (none) => marja11Assignee: bugsquad => pkg-bugsSource RPM: roundcoubemail-1.2.3-1.mga6.src.rpm => roundcubemail-1.2.3-1.mga6.src.rpm
Updated package uploaded for Cauldron. Patched package uploaded for Mageia 5. Advisory: ======================== Updated roundcubemail package fixes security vulnerability: rcube_utils.php in Roundcube before 1.1.8 and before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element (CVE-2017-6820). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6820 http://openwall.com/lists/oss-security/2017/03/12/2 ======================== Updated packages in core/updates_testing: ======================== roundcubemail-1.0.9-1.2.mga5 from roundcubemail-1.0.9-1.2.mga5.src.rpm
Status comment: Not sure whether Mga 5's roundcubemail-1.0.9 is affected, needs to be checked. => (none)Version: Cauldron => 5Assignee: pkg-bugs => qa-bugsSource RPM: roundcubemail-1.2.3-1.mga6.src.rpm => roundcubemail-1.0.9-1.1.mga5.src.rpm
openSUSE has issued an advisory for this today (March 19): https://lists.opensuse.org/opensuse-updates/2017-03/msg00056.html
MGA5-32 on Asus A6000VM Xfce No installation issues Trying to test this is as hopeless as it was in provious attempts (cfr bug 19920 and 18257 and 9640.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Testing for roundcubemail-1.0.9-1.2.mga5 with mariadb Installed roundcubemail from updates. Ignore error message caused by failure to update prior version, since prior version was not installed. If not previously done, edit /etc/php.ini to uncomment and set the date.timezone, in the [Date] section. See http://php.net/manual/en/timezones.php for possible values. I'm using date.timezone = America/Toronto Ensure mariadb installed, started, and password set as per /usr/share/doc/mariadb/README.urpmi For ease of use, install phpmyadmin, and login to http://localhost/phpmyadmin/ as the mariadb (aka mysql) root user with the admin password set in the prior step. In the list of items across the top, select Users, then Add user. Under Login information ... For the user name, on the right enter the value roundcube For the host, use the drop down on the left to select local. In the Password line, enter the value such as munged Also enter it on the following Re-type line. Under DataBase for user select Create database with same name and grant all privileges. Scroll down and on the right select Go. NOTE: User name and database name are now both roundcube, with password munged. Edit /etc/roundcubemail/config.inc.php replace the line ... $config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail'; with ... $config['db_dsnw'] = 'mysql://roundcube:munged@localhost/roundcube'; Restart apache with "systemctl restart httpd.service". FIXED log permissions with "chmod g+w /var/log/roundcubemail" While roundcuemail is responding at http://localhost/roundcubemail/ with a db connect error, http://localhost/roundcubemail/installer returns with 404 - Object not found I'm going to post to the dev mailing list that roundcube mail should be dropped, as a useless (as is) package. Once confirmed that roundcubemail will be dropped from Mageia 6, will close this bug as wontfix.
CC: (none) => davidwhodgins
Also note that the update installs, but the script fails with Updating database schema (2013061000)... [FAILED] ERROR: Error in DDL upgrade 2013061000: [1146] Table 'roundcube.cache' doesn't exist
The package is in Cauldron, but it's a different version, so hopefully it's more obvious how to make it work. The maintainer is no longer with us, as you may have heard, but insisted that the Mageia 5 package worked as long as knew how to make it work. As for Cauldron, I seem to remember it being a requirement for Kolab or something, so I think that's the reason we have it. I wouldn't mind seeing it go, but you should always feel free to ask about something like that on the dev list. Anyway, unless there's some obvious regression here, which there shouldn't be from this small patch, let's just push it and forget about the Mageia 5 version of this package, which we hopefully will never have to update again.
It is used as part of Kolab Dave, Kolab does the necessary configuration. Unfortunately that makes it pretty useless as a stand alone package as the installer was removed. Not ideal and should probably renamed kolab-roundcubemail to allow the full package to be installed with installer. You *could* check it using kolab, but previously we've just ensured it updates cleanly.
'Testing' M5-64 Given the previous lack of success we have had with this package, which I had already installed (https://bugs.mageia.org/show_bug.cgi?id=19920#c2), and heeding Claire('s comment 8, I just updated this to roundcubemail-1.0.9-1.2.mga5 The update went smoothly, this time with no new config files to confirm, nor any errors. http://localhost/roundcubemail/ yielded the familiar "DATABASE ERROR: CONNECTION FAILED! Unable to connect to the database! Please contact your server-administrator." So from previous testing precedents, & David's comment 7, I am OKing & validating this update. Advisory to follow immediately.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OKCC: (none) => lewyssmith, sysadmin-bugs
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0092.html
Status: NEW => RESOLVEDResolution: (none) => FIXED