It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace. https://github.com/roundcube/roundcubemail/releases/tag/1.3.14
Updated roundcubemail packages fix security vulnerabilities: This update fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace. References: https://github.com/roundcube/roundcubemail/releases/tag/1.3.14 ======================== Updated packages in core/updates_testing: ======================== roundcubemail-1.3.14-1.mga7.noarch.rpm SRPM: roundcubemail-1.3.14-1.mga7.src.rpm
Assignee: mageia => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 22941 for installation. Checked phpmyadmin, mysqld, httpd, dovecot and php-fpm are installed and running. Made changes in roundcube conf for gmail IMAP settings Run at CLI: # mysql -u roundcube -p roundcubemail < /usr/share/doc/roundcubemail/SQL/mysql.initial.sql Enter password: Checked with phpmyadmin that tables have been created, then # /usr/share/roundcubemail/bin/install-jsdeps.sh -bash: /usr/share/roundcubemail/bin/install-jsdeps.sh: No such file or directory This step is still in the roundcube docs, but is still needed? Anyway, pointing the browser at http://localhost/roundcubemail/ just draws a blank page, no error or warning of any kind.
CC: (none) => herman.viaene
Installed and tested without issues. Tested on setup with apache, PHP-FPM, mariadb and dovecot. Tested with multiple email accounts with GiB of emails. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep roundcubemail roundcubemail-1.3.14-1.mga7 $ $ $ rpm -qa | egrep '(mariadb|apache|php-fpm|dovecot)' | sort apache-2.4.43-1.mga7 apache-commons-io-2.6-3.mga7 apache-commons-logging-1.2-9.mga7 apache-mod_http2-2.4.43-1.mga7 apache-mod_php-7.3.19-2.mga7 apache-mod_proxy-2.4.43-1.mga7 apache-mod_ssl-2.4.43-1.mga7 dovecot-2.3.10.1-1.mga7 dovecot-pigeonhole-2.3.10.1-1.mga7 lib64mariadb3-10.3.23-1.mga7 mariadb-10.3.23-1.mga7 mariadb-client-10.3.23-1.mga7 mariadb-common-10.3.23-1.mga7 mariadb-common-core-10.3.23-1.mga7 mariadb-core-10.3.23-1.mga7 mariadb-extra-10.3.23-1.mga7 php-fpm-7.3.19-2.mga7 $ systemctl status httpd.service php-fpm.service dovecot.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2020-07-06 15:49:22 WEST; 3h 38min ago Main PID: 10921 (httpd) Status: "Total requests: 96; Idle/Busy workers 92/8;Requests/sec: 0.00733; Bytes served/sec: 126 B/sec" Tasks: 66 (limit: 4697) Memory: 34.8M CGroup: /system.slice/httpd.service ├─10921 /usr/sbin/httpd -DFOREGROUND ├─10922 /usr/sbin/httpd -DFOREGROUND └─10923 /usr/sbin/httpd -DFOREGROUND jul 06 15:49:22 marte systemd[1]: Starting The Apache HTTP Server... jul 06 15:49:22 marte systemd[1]: Started The Apache HTTP Server. ● php-fpm.service - The PHP FastCGI Process Manager Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2020-07-06 19:17:33 WEST; 10min ago Main PID: 14791 (php-fpm) Status: "Processes active: 0, idle: 2, Requests: 32, slow: 0, Traffic: 0req/sec" Tasks: 3 (limit: 4697) Memory: 47.1M CGroup: /system.slice/php-fpm.service ├─14791 php-fpm: master process (/etc/php-fpm.conf) ├─14877 php-fpm: pool www └─14898 php-fpm: pool www jul 06 19:17:33 marte systemd[1]: Starting The PHP FastCGI Process Manager... jul 06 19:17:33 marte systemd[1]: Started The PHP FastCGI Process Manager. ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2020-07-06 19:17:45 WEST; 10min ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Main PID: 14878 (dovecot) Tasks: 9 (limit: 4697) Memory: 18.5M CGroup: /system.slice/dovecot.service ├─14878 /usr/sbin/dovecot -F ├─14881 dovecot/anvil ├─14882 dovecot/log ├─14884 dovecot/config ├─14886 dovecot/stats ├─15357 dovecot/imap-login ├─15358 dovecot/imap ├─15375 dovecot/imap-login └─15378 dovecot/imap jul 06 19:18:26 marte dovecot[14882]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=15476, secured, session=<Q6oZ/MmpVsj9AAAAAAEAAQAAAAAAAAAB> jul 06 19:18:26 marte dovecot[14882]: imap(pclx)<15476><Q6oZ/MmpVsj9AAAAAAEAAQAAAAAAAAAB>: Logged out in=393 out=7750 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=434 body_count=1 body_bytes=5660 jul 06 19:18:30 marte dovecot[14882]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=15478, secured, session=<f3JU/MmpWMj9AAAAAAEAAQAAAAAAAAAB> jul 06 19:18:30 marte dovecot[14882]: imap(pclx)<15478><f3JU/MmpWMj9AAAAAAEAAQAAAAAAAAAB>: Logged out in=306 out=1690 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=337 body_count=0 body_bytes=0 jul 06 19:18:34 marte dovecot[14882]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=15481, secured, session=<5D6N/MmpWsj9AAAAAAEAAQAAAAAAAAAB>
CC: (none) => mageia
Debian has issued an advisory for this today (July 8): https://www.debian.org/security/2020/dsa-4720 Make sure to include the CVE in the advisory.
Summary: Roundcubemail: XSS vulnerability in svg images => Roundcubemail: XSS vulnerability in svg images (CVE-2020-15562)
This update has been working without issues for almost a week so I'm OKing this update. Please undo if you think its appropriate.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory information in Comment 1 and Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0301.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED