20787 – roundcubemail new security issue CVE-2017-8114

Bug 20787 - roundcubemail new security issue CVE-2017-8114

Summary: roundcubemail new security issue CVE-2017-8114

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	advisory MGA5-32-OK MGA5-64-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2017-05-05 20:48 CEST by David Walser
Modified:	2017-06-26 11:28 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	roundcubemail-1.0.9-1.2.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-05-05 20:48:00 CEST

Upstream has released 1.0.11 on April 28:
https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11

Comment 1 Marja Van Waes 2017-05-05 21:49:26 CEST

Assinging to all packagers collectively, since there is no registered maintainer for roundcubemail

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2017-05-15 23:16:36 CEST

openSUSE has issued an advisory for this today (May 15):
https://lists.opensuse.org/opensuse-updates/2017-05/msg00039.html

Comment 3 Mike Rambo 2017-06-13 22:01:25 CEST

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated roundcubemail package fixes security vulnerability:

It was discovered that roundcubemail prior to 1.0.11 contained a vulnerability in the virtualmin and sasl drivers of the password plugin (CVE-2017-8114)

References:
https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11
https://www.suse.com/security/cve/CVE-2017-8114/
========================

Updated packages in core/updates_testing:
========================
roundcubemail-1.0.11-1.mga5.noarch.rpm

from roundcubemail-1.0.11-1.mga5.src.rpm


Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=9640#c5

CC: (none) => mrambo
Assignee: pkg-bugs => qa-bugs

Dave Hodgins 2017-06-18 07:56:33 CEST

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 4 Herman Viaene 2017-06-19 14:58:28 CEST

MGA5-32 on Asus A 6000 VM Xfce
No installation issues
Ref. to bug 20463 Comment 5 and bug 9640, we're still in the same mess. After configuring all correctly, I still run in 'Database connection failure' and 'Error 404 Object not found.
But ir does not seem to break anything else.

CC: (none) => herman.viaene
Whiteboard: advisory => advisory MGA5-32-OK

Comment 5 Lewis Smith 2017-06-20 11:36:07 CEST

Testing Mageia 5 64-bit

Already installed and configured as per
 https://bugs.mageia.org/show_bug.cgi?id=19920#c2
roundcubemail-1.0.9-1.2.mga5

UPDATE was clean, no config file changes, to: roundcubemail-1.0.11-1.mga5
afte which http://localhost/roundcubemail/ gave our usual Roundcube error page:
"DATABASE ERROR: CONNECTION FAILED!

Unable to connect to the database!
Please contact your server-administrator."

OK as per our routine updates for this pkg. Validating.

Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2017-06-26 11:28:55 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0181.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.