Bug 25944 - roundcubemail new security issue CVE-2019-15237
Summary: roundcubemail new security issue CVE-2019-15237
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-23 23:35 CET by David Walser
Modified: 2020-09-25 00:58 CEST (History)
5 users (show)

See Also:
Source RPM: roundcubemail-1.3.8-2.mga7.src.rpm
CVE: CVE-2019-15237
Status comment:


Attachments

Description David Walser 2019-12-23 23:35:46 CET
Fedora has issued an advisory on September 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TFFMSO5WKEYSGMTZPZFF4ZADUJ57PRN5/

The issue is fixed upstream in 1.3.10.

Mageia 7 is also affected.
David Walser 2019-12-23 23:35:57 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-12-24 21:36:12 CET
Another package with no registered maintainer nor consistent recent committer, so have to assign it globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2019-12-29 15:40:59 CET
Suggested advisory:
========================

The updated package fixes a security vulnerability:

Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks. (CVE-2019-15237)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15237
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TFFMSO5WKEYSGMTZPZFF4ZADUJ57PRN5/
========================

Updated package in core/updates_testing:
========================
roundcubemail-1.3.10-1.mga7

from SRPMS:
roundcubemail-1.3.10-1.mga7.src.rpm

CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 7
Status: NEW => ASSIGNED
CVE: (none) => CVE-2019-15237
Whiteboard: MGA7TOO => (none)

Comment 3 PC LX 2019-12-29 18:28:08 CET
Installed and tested without issue.


Tested using dovecot imap server, with several accounts with large number of folders and emails.



System: Mageia 7, x86_64, Firefox, Chromium, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia240 proprietary driver.



$ uname -a
Linux marte 5.4.6-desktop-2.mga7 #1 SMP Mon Dec 23 12:05:27 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep roundcubemail
roundcubemail-1.3.10-1.mga7

Whiteboard: (none) => MGA7-64-OK
CC: (none) => mageia

Comment 4 Thomas Andrews 2019-12-29 19:28:05 CET
Validated. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2019-12-31 16:38:40 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 5 Mageia Robot 2019-12-31 17:52:49 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0420.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2020-09-25 00:58:23 CEST
This update also fixed CVE-2019-10740:
https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html

Note You need to log in before you can comment on or make changes to this bug.