Fedora has issued an advisory on April 21: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z5Z2OC2XYT33AXQAC6NBFEM5PJNFVZRR/ The issue is fixed upstream in 1.3.6. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11, mrambo
Updated package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated roundcubemail package fixes security vulnerability: This update fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. (CVE-2018-9846). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9846 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z5Z2OC2XYT33AXQAC6NBFEM5PJNFVZRR/ ======================== Updated packages in core/updates_testing: ======================== roundcubemail-1.3.6-1.mga6.noarch.rpm from roundcubemail-1.3.6-1.mga6.src.rpm Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=9640#c5
Keywords: (none) => has_procedureWhiteboard: MGA6TOO => (none)Version: Cauldron => 6Assignee: pkg-bugs => qa-bugs
Adds some new dependencies. Is that expected? # urpmi roundcubemail To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release2") perl-Authen-SASL 2.160.0 7.mga6 noarch perl-Convert-ASN1 0.270.0 5.mga6 noarch perl-Digest-HMAC 1.30.0 8.mga6 noarch perl-Digest-SHA1 2.130.0 19.mga6 x86_64 perl-ldap 0.650.0 3.mga6 noarch (medium "Core Updates Testing") roundcubemail 1.3.6 1.mga6 noarch
Whiteboard: (none) => feedback
Also bad signature.. The following package has bad signature: /var/cache/urpmi/rpms/roundcubemail-1.3.6-1.mga6.noarch.rpm: Missing signature (OK ((none)))
perl dependencies are automatically generated, so they are what they are, but we can't have bad signatures, so the package will need to rebuilt.
Rebuilt package to correct signature problem. New file list. Updated packages in core/updates_testing: ======================== roundcubemail-1.3.6-1.1.mga6.noarch.rpm from roundcubemail-1.3.6-1.1.mga6.src.rpm
Whiteboard: feedback => (none)
MGA6-32 on IBM Thinkpad R50e MATE Installation draws in apache, but not mariadb which is a prerequisite as well. Please do not refer anymore to bug 9640 anymore as the info on testing is obsolete (the installer is not there anymore), the wiki is better although not complete. I will give more feedback once I get thru all the loops.
CC: (none) => herman.viaene
I needed to change the file /etc/my.cnf.d/cracklib_password_check.cnf to comment out the line on the cracklib plugin. That gets rid of the policy error when trying to enter the roundcube user. I'm still stuck at the database connection error, but my guess is that, with our current setup, we do not populate the roundcubemail database with its necessary tables. I cannot continue my investigation right now.
Googling I find references to a /usr/share/roundcubemail/SQL folder, but that one is not in our rpm??????
Installed and (minimally) tested. Installing required various steps. 1) Install the package roundcubemail and its dependencies (and recommends). 2) Start Apache (the httpd server I used) and MariaDB (the database server I used). 2) Create a database in MariaDB. 3) Create a database account (with all access rights; probably not all access rights are needed or desirable but this was only for testing). 4) Initialize the database. Run: mysql -u username -p database_name < /usr/share/doc/roundcubemail/SQL/mysql.initial.sql 5) Install JS dependencies. Run as root: /usr/share/roundcubemail/bin/install-jsdeps.sh 6) Edit, as root, the file /etc/roundcubemail/config.inc.php, and set the DSN, IMAP and SMTP settings. 7) Load the http://localhost/roundcubemail/ page in a browser. 8) Login using the username/password for a IMAP account in the IMAp server configured in step 6. While roundcubemail worked, I noticed that only some folders showed up in the list. The account I used has thousands. From the folders shown, I suspect it is only showing folders with recent emails. I don't know if this is how its supposed to be or some limitation of bug. I don't usually use any webmail stuff and have only used roundcubemail once or twice for a quick access to an account so I have no idea if there are any regressions. Will let someone else decide on giving the approved stamp to this one.
CC: (none) => mageia
Forgot the system info. System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 22:35:45 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q roundcubemail roundcubemail-1.3.6-1.1.mga6
Its been a week since the last comment so I'm making it as ok for x86_64.
Whiteboard: (none) => MGA6-64-OK
Advisoried. Validating.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0288.html
Status: NEW => RESOLVEDResolution: (none) => FIXED