A file disclosure vulnerability was discovered in roundcube, a skinnable AJAX based webmail solution for IMAP servers. An authenticated attacker can take advantage of this flaw to read roundcube's configuration files.
URL: (none) => https://www.debian.org/security/2017/dsa-4030CVE: (none) => CVE-2017-16651
Assigning to all packagers collectively, since there is no registered maintainer for this package. See also http://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10
Whiteboard: (none) => MGA6TOO, MGA5TOOCC: (none) => marja11, mramboVersion: 6 => CauldronAssignee: bugsquad => pkg-bugsSource RPM: roundcube => roundcubemail
Debian has issued an advisory for this on November 9: https://www.debian.org/security/2017/dsa-4030
Summary: roundcube security update CVE-2017-16651 => roundcubemail new security issue CVE-2017-16651Source RPM: roundcubemail => roundcubemail-1.2.5-1.mga6.src.rpm
Cauldron updated to version 1.3.3. Patched package uploaded for Mageia 5 and 6. Advisory: ======================== Patched roundcubemail package fixes security vulnerability: It was discovered that roundcubemail contained a zero-day file disclosure vulnerability caused by insuficient input validation which was currently being exploited by hackers to read roundcube's configuration files and steal its database credentials (CVE-2017-16651). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16651 https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10 https://www.debian.org/security/2017/dsa-4030 ======================== Updated packages in core/updates_testing: ======================== roundcubemail-1.0.11-1.1.mga5 from roundcubemail-1.0.11-1.1.mga5.src.rpm roundcubemail-1.2.5-1.1.mga6 from roundcubemail-1.2.5-1.1.mga6.src.rpm Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=9640#c5
Assignee: pkg-bugs => qa-bugsWhiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6
Keywords: (none) => has_procedure
In order to get roundcube mail working, the pre-requisites are having mysql (mariadb), https (apache-mod_ssl), and an imap service such as dovecot working with a real linux user with the proper directory structure for the imap mail in /home. Got roundcubemail working, and confirmed it's working after the update. Not trying to recreate the actual exploit, as though it's described in general, I don't see the details of how to use it. Will update the testing procedure on the wiki later. Advisory committed to svn. Validating the update.
Keywords: (none) => advisory, validated_updateWhiteboard: MGA5TOO => MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-64-OK MGA6-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0409.html
Status: NEW => RESOLVEDResolution: (none) => FIXED