Fedora has issued an advisory on September 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TFFMSO5WKEYSGMTZPZFF4ZADUJ57PRN5/ The issue is fixed upstream in 1.3.10. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Another package with no registered maintainer nor consistent recent committer, so have to assign it globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes a security vulnerability: Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks. (CVE-2019-15237) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15237 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TFFMSO5WKEYSGMTZPZFF4ZADUJ57PRN5/ ======================== Updated package in core/updates_testing: ======================== roundcubemail-1.3.10-1.mga7 from SRPMS: roundcubemail-1.3.10-1.mga7.src.rpm
CC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugsVersion: Cauldron => 7Status: NEW => ASSIGNEDCVE: (none) => CVE-2019-15237Whiteboard: MGA7TOO => (none)
Installed and tested without issue. Tested using dovecot imap server, with several accounts with large number of folders and emails. System: Mageia 7, x86_64, Firefox, Chromium, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia240 proprietary driver. $ uname -a Linux marte 5.4.6-desktop-2.mga7 #1 SMP Mon Dec 23 12:05:27 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep roundcubemail roundcubemail-1.3.10-1.mga7
Whiteboard: (none) => MGA7-64-OKCC: (none) => mageia
Validated. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0420.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2019-10740: https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html