new security issues: CVE-2020-16145 Fix potential XSS issue in HTML editor of the identity signature input Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145] Fix cross-site scripting (XSS) via HTML messages with malicious math content
Updated roundcubemail fixes security issues: Fix potential XSS issue in HTML editor of the identity signature input Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145] Fix cross-site scripting (XSS) via HTML messages with malicious math content References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16145 https://github.com/roundcube/roundcubemail/releases/tag/1.3.15 Updated packages in core/updates_testing: roundcubemail-1.3.15-1.mga7.noarch.rpm SRPM: roundcubemail-1.3.15-1.mga7.src.rpm
Assignee: mageia => qa-bugs
Version: Cauldron => 7Summary: roundcubemail: malicoious content (svg, math, ...) => roundcubemail new security issues (including CVE-2020-16145)
Installed and tested without issues. Tested on setup with apache, PHP-FPM, mariadb and dovecot. Tested with multiple email accounts with GiB of emails. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q roundcubemail roundcubemail-1.3.15-1.mga7 $ rpm -qa | egrep '(mariadb|apache|php-fpm|dovecot)' | sort apache-2.4.43-1.mga7 apache-commons-io-2.6-3.mga7 apache-commons-logging-1.2-9.mga7 apache-mod_http2-2.4.43-1.mga7 apache-mod_php-7.3.19-2.mga7 apache-mod_proxy-2.4.43-1.mga7 apache-mod_ssl-2.4.43-1.mga7 dovecot-2.3.10.1-1.mga7 dovecot-pigeonhole-2.3.10.1-1.mga7 lib64mariadb3-10.3.24-1.mga7 mariadb-10.3.24-1.mga7 mariadb-client-10.3.24-1.mga7 mariadb-common-10.3.24-1.mga7 mariadb-common-core-10.3.24-1.mga7 mariadb-core-10.3.24-1.mga7 mariadb-extra-10.3.24-1.mga7 php-fpm-7.3.19-2.mga7 $ systemctl status httpd.service php-fpm.service dovecot.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2020-08-11 10:27:49 WEST; 9h ago Main PID: 2724 (httpd) Status: "Total requests: 373; Idle/Busy workers 88/12;Requests/sec: 0.0105; Bytes served/sec: 138 B/sec" Tasks: 66 (limit: 4697) Memory: 39.7M CGroup: /system.slice/httpd.service ├─2724 /usr/sbin/httpd -DFOREGROUND ├─2725 /usr/sbin/httpd -DFOREGROUND └─2726 /usr/sbin/httpd -DFOREGROUND ago 11 10:27:49 marte systemd[1]: Starting The Apache HTTP Server... ago 11 10:27:49 marte systemd[1]: Started The Apache HTTP Server. ● php-fpm.service - The PHP FastCGI Process Manager Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2020-08-11 18:01:23 WEST; 2h 20min ago Main PID: 9976 (php-fpm) Status: "Processes active: 0, idle: 2, Requests: 81, slow: 0, Traffic: 0req/sec" Tasks: 3 (limit: 4697) Memory: 42.7M CGroup: /system.slice/php-fpm.service ├─ 9976 php-fpm: master process (/etc/php-fpm.conf) ├─ 9977 php-fpm: pool www └─11605 php-fpm: pool www ago 11 18:01:23 marte systemd[1]: Starting The PHP FastCGI Process Manager... ago 11 18:01:23 marte php-fpm[9976]: [NOTICE] fpm is running, pid 9976 ago 11 18:01:23 marte php-fpm[9976]: [NOTICE] ready to handle connections ago 11 18:01:23 marte systemd[1]: Started The PHP FastCGI Process Manager. ago 11 18:01:23 marte php-fpm[9976]: [NOTICE] systemd monitor interval set to 10000ms ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2020-08-11 10:18:07 WEST; 10h ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Main PID: 2513 (dovecot) Tasks: 5 (limit: 4697) Memory: 14.6M CGroup: /system.slice/dovecot.service ├─2513 /usr/sbin/dovecot -F ├─2515 dovecot/anvil ├─2516 dovecot/log ├─2518 dovecot/config └─2520 dovecot/stats ago 11 20:02:01 marte dovecot[2516]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=11754, secured, session=<dbDLtJ6saIr9AAAAAAEAAQAAAAAAAAAB> ago 11 20:02:01 marte dovecot[2516]: imap(pclx)<11754><dbDLtJ6saIr9AAAAAAEAAQAAAAAAAAAB>: Logged out in=387 out=27317 deleted=0 expunged=0 trashed=0 hdr_count=50 hdr_bytes=14781 body_count=0 body_bytes=0 ago 11 20:02:03 marte dovecot[2516]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=11756, secured, session=<bcjjtJ6saor9AAAAAAEAAQAAAAAAAAAB> ago 11 20:02:03 marte dovecot[2516]: imap(pclx)<11756><bcjjtJ6saor9AAAAAAEAAQAAAAAAAAAB>: Logged out in=400 out=6870 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=555 body_count=1 body_bytes=4670 ago 11 20:02:04 marte dovecot[2516]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=11758, secured, session=<verwtJ6sbIr9AAAAAAEAAQAAAAAAAAAB> ago 11 20:02:04 marte dovecot[2516]: imap(pclx)<11758><verwtJ6sbIr9AAAAAAEAAQAAAAAAAAAB>: Logged out in=400 out=6825 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=506 body_count=1 body_bytes=4674
CC: (none) => mageia
Debian has issued an advisory for this today (August 12): https://www.debian.org/security/2020/dsa-4744
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory and package list in Comment 1.
CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0339.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
*** Bug 27883 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu