some xss attacks on roundcoube have been fixed in the latest maintenance release: Fix XSS issue in template object 'username' (#7406) Fix cross-site scripting (XSS) via malicious XML attachment Fix a couple of XSS issues in Installer (#7406) Ref: https://github.com/roundcube/roundcubemail/releases/tag/1.3.12
The latest maintenance release of roundcubemail fixes some xss issues: - Fix XSS issue in template object 'username' - Fix cross-site scripting (XSS) via malicious XML attachment and improves the fix for CVE-2020-12641 References: https://github.com/roundcube/roundcubemail/releases/tag/1.3.12 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12641 ======================== Updated packages in core/updates_testing: ======================== roundcubemail-1.3.12-1.mga7.noarch.rpm SRPM: roundcubemail-1.3.12-1.mga7.src.rpm
Assignee: mageia => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. This laptop had a previous version of roundcubemail, so reused the cnfig file after creating the database in mysql. Getting into trouble with the connection string. Tryng to login into roundcubemail gets me "Connection to storage server failed" When I try at the CLI: $ mysql -u roundcube:tester@localhost/roundcubemail ERROR 1045 (28000): Access denied for user 'roundcube:tester@localhost/roundcubemail'@'localhost' (using password: NO) but with $ mysql -u roundcube -p roundcubemail Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. beats me
CC: (none) => herman.viaene
@herman: if you want to connect via commandline hostnames must be specified via -h (but localhost is default) so your connection string should look like this: mysql -u roundcube -h localhost -p roundcubemail
I was trying the command line to come to terms with the error I get when connection roundcubemail. It has in its setting the string mysql://roundcube:tester@localhost/roundcubemail, and I cann't see what is wrong with it. But while I am typing and searching, I see find that this error also can occur when the dovecot service is not running, and that is something which is not mentioned in the wiki or previous tests. I'll get back, when I can run my testing laptop again.
ok, plse post the log output from php/apache; I assume there is a more specific error shown there.
I overlooked bug 22941 Comment 3 that dovecot is needed. But now struggling to get that one configured.Giving up on it for now.
Installed and tested without issues. Tested in a system setup with apache, PHP-FPM, mariadb and dovecot. Tested with several email accounts with GiB of emails. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep roundcubemail roundcubemail-1.3.12-1.mga7 $ $ $ rpm -qa | egrep '(mariadb|apache|php-fpm|dovecot)' | sort apache-2.4.43-1.mga7 apache-commons-io-2.6-3.mga7 apache-commons-logging-1.2-9.mga7 apache-mod_http2-2.4.43-1.mga7 apache-mod_php-7.3.18-1.mga7 apache-mod_proxy-2.4.43-1.mga7 apache-mod_ssl-2.4.43-1.mga7 dovecot-2.3.10.1-1.mga7 dovecot-pigeonhole-2.3.10.1-1.mga7 lib64mariadb3-10.3.22-1.mga7 mariadb-10.3.22-1.mga7 mariadb-client-10.3.22-1.mga7 mariadb-common-10.3.22-1.mga7 mariadb-common-core-10.3.22-1.mga7 mariadb-core-10.3.22-1.mga7 mariadb-extra-10.3.22-1.mga7 php-fpm-7.3.18-1.mga7 $ $ $ systemctl status httpd.service php-fpm.service dovecot.service mysqld.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2020-06-04 22:07:05 WEST; 1h 41min ago Main PID: 17540 (httpd) Status: "Total requests: 58; Idle/Busy workers 100/0;Requests/sec: 0.00953; Bytes served/sec: 176 B/sec" Tasks: 258 (limit: 4697) Memory: 43.7M CGroup: /system.slice/httpd.service ├─17540 /usr/sbin/httpd -DFOREGROUND ├─17542 /usr/sbin/httpd -DFOREGROUND ├─17543 /usr/sbin/httpd -DFOREGROUND ├─17544 /usr/sbin/httpd -DFOREGROUND ├─17546 /usr/sbin/httpd -DFOREGROUND └─17868 /usr/sbin/httpd -DFOREGROUND jun 04 22:07:05 marte systemd[1]: Starting The Apache HTTP Server... jun 04 22:07:05 marte systemd[1]: Started The Apache HTTP Server. ● php-fpm.service - The PHP FastCGI Process Manager Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2020-06-04 22:07:41 WEST; 1h 40min ago Main PID: 17817 (php-fpm) Status: "Processes active: 0, idle: 2, Requests: 11, slow: 0, Traffic: 0req/sec" Tasks: 3 (limit: 4697) Memory: 24.2M CGroup: /system.slice/php-fpm.service ├─17817 php-fpm: master process (/etc/php-fpm.conf) ├─17829 php-fpm: pool www └─17972 php-fpm: pool www jun 04 22:07:40 marte systemd[1]: Starting The PHP FastCGI Process Manager... jun 04 22:07:41 marte systemd[1]: Started The PHP FastCGI Process Manager. ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2020-06-04 15:40:21 WEST; 8h ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Main PID: 7777 (dovecot) Tasks: 7 (limit: 4697) Memory: 13.5M CGroup: /system.slice/dovecot.service ├─7777 /usr/sbin/dovecot -F ├─7779 dovecot/anvil ├─7780 dovecot/log ├─7781 dovecot/imap-login ├─7782 dovecot/config ├─7783 dovecot/stats └─7791 dovecot/imap jun 04 22:07:54 marte dovecot[7780]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=17978, secured, session=<SNIP> jun 04 22:07:54 marte dovecot[7780]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=17980, secured, session=<SNIP> jun 04 22:07:54 marte dovecot[7780]: imap(pclx)<17978><w7fGiUinttL9AAAAAAEAAQAAAAAAAAAB>: Logged out in=303 out=2837 deleted=0 expunged=0 trashed=0 hdr_count=3 hdr_bytes=992 body_count=0 body_bytes=0 jun 04 22:07:54 marte dovecot[7780]: imap(pclx)<17980><tAnHiUinuNL9AAAAAAEAAQAAAAAAAAAB>: Logged out in=1073 out=3365 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 ● mysqld.service - MySQL database server Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2020-06-04 22:07:50 WEST; 1h 47min ago Process: 17853 ExecStartPre=/usr/sbin/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS) Main PID: 17867 (mysqld) Status: "Taking your SQL requests now..." Tasks: 30 (limit: 4697) Memory: 60.8M CGroup: /system.slice/mysqld.service └─17867 /usr/sbin/mysqld jun 04 22:07:50 marte mysqld[17867]: 2020-06-04 22:07:50 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB. jun 04 22:07:50 marte mysqld[17867]: 2020-06-04 22:07:50 0 [Note] InnoDB: 10.3.22 started; log sequence number 296577098; transaction id 895136 jun 04 22:07:50 marte mysqld[17867]: 2020-06-04 22:07:50 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool jun 04 22:07:50 marte mysqld[17867]: 200604 22:07:50 server_audit: MariaDB Audit Plugin version 1.4.8 STARTED. jun 04 22:07:50 marte mysqld[17867]: 200604 22:07:50 server_audit: Query cache is enabled with the TABLE events. Some table reads can be veiled.2020-06-04 22:07:50 0 [Note] Reading of all Master_info entries s> jun 04 22:07:50 marte mysqld[17867]: 2020-06-04 22:07:50 0 [Note] Added new Master_info '' to hash table jun 04 22:07:50 marte mysqld[17867]: 2020-06-04 22:07:50 0 [Note] /usr/sbin/mysqld: ready for connections. jun 04 22:07:50 marte mysqld[17867]: Version: '10.3.22-MariaDB' socket: '/var/lib/mysql/mysql.sock' port: 0 Mageia MariaDB Server jun 04 22:07:50 marte systemd[1]: Started MySQL database server. jun 04 22:07:50 marte mysqld[17867]: 2020-06-04 22:07:50 0 [Note] InnoDB: Buffer pool(s) load completed at 200604 22:07:50
CC: (none) => mageia
No success in getting this to work. I keep getting "Login failed" although I cn connect at the CLI to the database.
(In reply to Herman Viaene from comment #8) > No success in getting this to work. I keep getting "Login failed" although I > cn connect at the CLI to the database. Are you trying to use the database username/password to login to rouncubemail? That is probably not correct. It depends on how roundcubemail is configured but try your system username and password (the ones you use to login to your GNU/Linux user account). If think that would work with the roundcubemail default configuration.
Debian has issued an advisory for this on June 11: https://www.debian.org/security/2020/dsa-4700 Make sure you add the CVEs to the advisory.
Summary: some xss issues in roundcubemail => roundcubemail new security issues CVE-2020-1396[45]
Followed advice of PC LX, logged in as normal user, that worked. Despite getting a message "Server Error: STATUS: Internal error occurred" I could send a mail out. But I could not receive the answer. Checked config file and found I did not enter the ddefault hostname correctly. Once that was OK, I could login with my mail-id and all worked well.
Whiteboard: (none) => MGA7-64-OK
Thank the both of you! Validating. Advisory information in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
(In reply to Thomas Andrews from comment #12) > Thank the both of you! Validating. Advisory information in Comment 1. Not completely. See Comment 10.
Keywords: (none) => advisoryCC: (none) => mageia
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0261.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2020-12641: https://bugzilla.suse.com/show_bug.cgi?id=1171148 https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html
CC: (none) => luigiwalser
This update also fixed CVE-2020-18670 CVE-2020-18671: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BPPHYZD6Y3QJBTGPLX66Y3DJ3KCNEUJQ/