Bug 22941 - roundcubemail new security issue CVE-2018-9846
Summary: roundcubemail new security issue CVE-2018-9846
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: feedback
Keywords: has_procedure
Depends on:
Reported: 2018-04-22 16:39 CEST by David Walser
Modified: 2018-05-19 18:22 CEST (History)
2 users (show)

See Also:
Source RPM: roundcubemail-1.3.3-1.mga7.src.rpm
Status comment:


Description David Walser 2018-04-22 16:39:56 CEST
Fedora has issued an advisory on April 21:

The issue is fixed upstream in 1.3.6.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-04-22 16:40:10 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-04-23 05:42:13 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11, mrambo
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2018-04-28 18:35:37 CEST
Updated package uploaded for cauldron and Mageia 6.


Updated roundcubemail package fixes security vulnerability:

This update fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. (CVE-2018-9846).


Updated packages in core/updates_testing:

from roundcubemail-1.3.6-1.mga6.src.rpm

Testing procedure:

Whiteboard: MGA6TOO => (none)
Keywords: (none) => has_procedure
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6

Comment 3 claire robinson 2018-05-19 04:02:52 CEST
Adds some new dependencies. Is that expected?

# urpmi roundcubemail
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release2")
  perl-Authen-SASL               2.160.0      7.mga6        noarch  
  perl-Convert-ASN1              0.270.0      5.mga6        noarch  
  perl-Digest-HMAC               1.30.0       8.mga6        noarch  
  perl-Digest-SHA1               2.130.0      19.mga6       x86_64  
  perl-ldap                      0.650.0      3.mga6        noarch  
(medium "Core Updates Testing")
  roundcubemail                  1.3.6        1.mga6        noarch

Whiteboard: (none) => feedback

Comment 4 claire robinson 2018-05-19 04:05:39 CEST
Also bad signature..

The following package has bad signature:
/var/cache/urpmi/rpms/roundcubemail-1.3.6-1.mga6.noarch.rpm: Missing signature (OK ((none)))
Comment 5 David Walser 2018-05-19 18:22:59 CEST
perl dependencies are automatically generated, so they are what they are, but we can't have bad signatures, so the package will need to rebuilt.

Note You need to log in before you can comment on or make changes to this bug.