- Cross-Site Scripting (XSS) via malicious HTML content - CSRF attack can cause an authenticated user to be logged out - Remote code execution via crafted config options - Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option
Updated roundcubemail packages fix security vulnerabilities: - Cross-Site Scripting (XSS) via malicious HTML content - CSRF attack can cause an authenticated user to be logged out - Remote code execution via crafted config options - Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option References: https://github.com/roundcube/roundcubemail/releases/tag/1.3.11 ======================== Updated packages in core/updates_testing: ======================== roundcubemail-1.3.11-1.mga7.noarch.rpm SRPM: roundcubemail-1.3.11-1.mga7.src.rpm
Assignee: mageia => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref to bug 22941 Comment 10 and 23826 Comment 10 for testing. Success configuring roundcubemail for my gmail account, sent mail to my hotmail account (read on my desktop PC) and receiving answer from it. So roundcube does its thing. OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Installed and tested without issue. Tested using dovecot imap server. Several accounts with large number of folders and emails. System: Mageia 7, x86_64, Firefox, Chromium, Chrome, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia240 proprietary driver. $ uname -a Linux marte 5.6.8-desktop-1.mga7 #1 SMP Thu Apr 30 06:12:53 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q roundcubemail roundcubemail-1.3.11-1.mga7
CC: (none) => mageia
Debian has issued an advisory for this on May 5: https://www.debian.org/security/2020/dsa-4674 Updated roundcubemail packages fix security vulnerabilities: - Cross-Site Scripting (XSS) via malicious HTML content (CVE-2020-12625) - CSRF attack can cause an authenticated user to be logged out (CEV-2020-12626) - Remote code execution via crafted config options - Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12625 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12626 https://github.com/roundcube/roundcubemail/releases/tag/1.3.11 https://www.debian.org/security/2020/dsa-4674
Summary: Security issues in roundcube mail => roundcubemail new security issues CVE-2020-1262[56]
Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
You mean Comment 4.
OK. It had been a looooonnnnng day on the tractor, and I was tired.
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0206.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2020-12640: https://bugzilla.suse.com/show_bug.cgi?id=1171149 https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html
CC: (none) => luigiwalser