Fedora has issued an advisory on November 4: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/56EUDX57TIX42ULN63ZD6HCOX5PLNOZJ/ Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing two committers.
Assignee: bugsquad => pkg-bugsCC: (none) => guillomovitch, marja11, mrambo
Updated package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated roundcubemail package fixes security vulnerability and bugs: This is a service release to update the stable version 1.3 of Roundcube Webmail. It contains fixes to several bugs backported from the master branch including a security fix for a reported XSS vulnerability (in handling invalid style tag content) plus updates to ensure compatibility with PHP 7.3 and recent versions of Courier-IMAP, Dovecot and MySQL 8 (no CVE). References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/56EUDX57TIX42ULN63ZD6HCOX5PLNOZJ/ ======================== Updated packages in core/updates_testing: ======================== roundcubemail-1.3.8-1.mga6.noarch.rpm from roundcubemail-1.3.8-1.mga6.src.rpm Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=9640#c5
Keywords: (none) => has_procedureWhiteboard: MGA6TOO => (none)Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 6
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Ref to bug 9640 is obsolete as roundcubemail/installer does not exist anymore. Bug 22941 is a better guide. But step 5 js dependencies does not exist anymore either, so I just skipped that step. Step 7 (roundcube page) brrings me into a log screen, but there I'm stuck since I don't have any IMAP account (sticking to pop3) But AFAICS, it looks OK. Leaving the OK for someone with a real IMAP account.
CC: (none) => herman.viaene
Installed and tested without issue. System: Mageia 6, x86_64, Firefox, Chrome, Chromium, Plasma DE, LXQt, Intel CPU, nVidia GPU using nvidia240 proprietary driver. For step-by-step installing instructions look here: https://bugs.mageia.org/show_bug.cgi?id=22941#c10 $ uname -a Linux marte 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep roundcube roundcubemail-1.3.6-1.2.mga6
Whiteboard: (none) => MGA6-64-OKCC: (none) => mageia
(In reply to PC LX from comment #4) > $ rpm -qa | grep roundcube > roundcubemail-1.3.6-1.2.mga6 Thank you (& Herman) for your test of this difficult package (and the installation pointer); but is the version right? Comment 2 says "roundcubemail-1.3.8-1.mga6". @Herman: what version did you test? Advisory done from c2.
CC: (none) => lewyssmithKeywords: (none) => advisory
(In reply to Lewis Smith from comment #5) > (In reply to PC LX from comment #4) > > $ rpm -qa | grep roundcube > > roundcubemail-1.3.6-1.2.mga6 > but is the version right? Comment 2 says "roundcubemail-1.3.8-1.mga6". Sorry, my mistake! I copied the version from before the update. This is the version I tested, the one after the update. $ rpm -qa | grep roundcubemail roundcubemail-1.3.8-1.mga6
Thanks a bunch, PC_LX. Can validate this now (which you could have done).
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0463.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This is CVE-2018-19206, according to this Debian advisory from November 24: https://www.debian.org/security/2018/dsa-4344
Summary: roundcubemail new XSS security issue fixed upstream in 1.3.8 => roundcubemail new XSS security issue fixed upstream in 1.3.8 (CVE-2018-19206)
CVE-2018-19205 was also fixed in 1.3.7 in this update: https://bugzilla.suse.com/show_bug.cgi?id=1115719 https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html