Mageia Bugzilla – Bug 20463
roundcubemail new security issue CVE-2017-6820
Last modified: 2017-03-27 23:28:11 CEST
A security issue in roundcubemail fixed in 1.2.4 has been announced:
I'm not sure if Mageia 5 is affected, but the upstream commits that fixed the issue are linked in the message above.
Assigning to all packagers collectively, since there is no registered maintainer for this package
Updated package uploaded for Cauldron.
Patched package uploaded for Mageia 5.
Updated roundcubemail package fixes security vulnerability:
rcube_utils.php in Roundcube before 1.1.8 and before 1.2.4 is susceptible to a
cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS)
token sequence within an SVG element (CVE-2017-6820).
Updated packages in core/updates_testing:
openSUSE has issued an advisory for this today (March 19):
MGA5-32 on Asus A6000VM Xfce
No installation issues
Trying to test this is as hopeless as it was in provious attempts (cfr bug 19920 and 18257 and 9640.
Testing for roundcubemail-1.0.9-1.2.mga5 with mariadb
Installed roundcubemail from updates. Ignore error message caused by failure to
update prior version, since prior version was not installed.
If not previously done, edit /etc/php.ini to uncomment and set the date.timezone,
in the [Date] section.
See http://php.net/manual/en/timezones.php for possible values. I'm using
date.timezone = America/Toronto
Ensure mariadb installed, started, and password set as per
For ease of use, install phpmyadmin, and login to http://localhost/phpmyadmin/
as the mariadb (aka mysql) root user with the admin password set in the prior step.
In the list of items across the top, select Users, then Add user.
Under Login information ...
For the user name, on the right enter the value roundcube
For the host, use the drop down on the left to select local.
In the Password line, enter the value such as munged
Also enter it on the following Re-type line.
Under DataBase for user
select Create database with same name and grant all privileges.
Scroll down and on the right select Go.
NOTE: User name and database name are now both roundcube, with password munged.
replace the line ...
$config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail';
$config['db_dsnw'] = 'mysql://roundcube:munged@localhost/roundcube';
Restart apache with "systemctl restart httpd.service".
FIXED log permissions with "chmod g+w /var/log/roundcubemail"
While roundcuemail is responding at http://localhost/roundcubemail/ with
a db connect error, http://localhost/roundcubemail/installer returns with
404 - Object not found
I'm going to post to the dev mailing list that roundcube mail should be
dropped, as a useless (as is) package.
Once confirmed that roundcubemail will be dropped from Mageia 6, will close this
bug as wontfix.
Also note that the update installs, but the script fails with
Updating database schema (2013061000)... [FAILED]
ERROR: Error in DDL upgrade 2013061000:  Table 'roundcube.cache' doesn't exist
The package is in Cauldron, but it's a different version, so hopefully it's more obvious how to make it work. The maintainer is no longer with us, as you may have heard, but insisted that the Mageia 5 package worked as long as knew how to make it work. As for Cauldron, I seem to remember it being a requirement for Kolab or something, so I think that's the reason we have it. I wouldn't mind seeing it go, but you should always feel free to ask about something like that on the dev list. Anyway, unless there's some obvious regression here, which there shouldn't be from this small patch, let's just push it and forget about the Mageia 5 version of this package, which we hopefully will never have to update again.
It is used as part of Kolab Dave, Kolab does the necessary configuration. Unfortunately that makes it pretty useless as a stand alone package as the installer was removed.
Not ideal and should probably renamed kolab-roundcubemail to allow the full package to be installed with installer.
You *could* check it using kolab, but previously we've just ensured it updates cleanly.
Given the previous lack of success we have had with this package, which I had already installed (https://bugs.mageia.org/show_bug.cgi?id=19920#c2), and heeding Claire('s comment 8, I just updated this to
The update went smoothly, this time with no new config files to confirm, nor any errors.
http://localhost/roundcubemail/ yielded the familiar
"DATABASE ERROR: CONNECTION FAILED!
Unable to connect to the database!
Please contact your server-administrator."
So from previous testing precedents, & David's comment 7, I am OKing & validating this update. Advisory to follow immediately.
An update for this issue has been pushed to the Mageia Updates repository.