Bug 22941 - roundcubemail new security issue CVE-2018-9846
Summary: roundcubemail new security issue CVE-2018-9846
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: feedback
Keywords: has_procedure
Depends on:
Blocks:
 
Reported: 2018-04-22 16:39 CEST by David Walser
Modified: 2018-05-19 18:22 CEST (History)
2 users (show)

See Also:
Source RPM: roundcubemail-1.3.3-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-04-22 16:39:56 CEST
Fedora has issued an advisory on April 21:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z5Z2OC2XYT33AXQAC6NBFEM5PJNFVZRR/

The issue is fixed upstream in 1.3.6.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-04-22 16:40:10 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-04-23 05:42:13 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11, mrambo
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2018-04-28 18:35:37 CEST
Updated package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated roundcubemail package fixes security vulnerability:

This update fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. (CVE-2018-9846).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9846
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z5Z2OC2XYT33AXQAC6NBFEM5PJNFVZRR/
========================

Updated packages in core/updates_testing:
========================
roundcubemail-1.3.6-1.mga6.noarch.rpm

from roundcubemail-1.3.6-1.mga6.src.rpm


Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=9640#c5

Whiteboard: MGA6TOO => (none)
Keywords: (none) => has_procedure
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6

Comment 3 claire robinson 2018-05-19 04:02:52 CEST
Adds some new dependencies. Is that expected?

# urpmi roundcubemail
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release2")
  perl-Authen-SASL               2.160.0      7.mga6        noarch  
  perl-Convert-ASN1              0.270.0      5.mga6        noarch  
  perl-Digest-HMAC               1.30.0       8.mga6        noarch  
  perl-Digest-SHA1               2.130.0      19.mga6       x86_64  
  perl-ldap                      0.650.0      3.mga6        noarch  
(medium "Core Updates Testing")
  roundcubemail                  1.3.6        1.mga6        noarch

Whiteboard: (none) => feedback

Comment 4 claire robinson 2018-05-19 04:05:39 CEST
Also bad signature..

The following package has bad signature:
/var/cache/urpmi/rpms/roundcubemail-1.3.6-1.mga6.noarch.rpm: Missing signature (OK ((none)))
Comment 5 David Walser 2018-05-19 18:22:59 CEST
perl dependencies are automatically generated, so they are what they are, but we can't have bad signatures, so the package will need to rebuilt.

Note You need to log in before you can comment on or make changes to this bug.