Fix stored cross-site scripting (XSS) vulnerability via HTML or plain text messages with malicious content [CVE-2020-35730].
Updated roundcubemail fixes a security vulnerability: Fixes stored cross-site scripting (XSS) vulnerability via HTML or plain text messages with malicious content [1] [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35730 [2] https://github.com/roundcube/roundcubemail/releases/tag/1.3.16 SRPM: roundcubemail-1.3.16-1.mga7.src.rpm RPMS in core/updates_testing: roundcubemail-1.3.16-1.mga7.noarch.rpm
Assignee: mageia => qa-bugs
Installed and tested without issues. Tested on setup with apache, php-fpm, mariadb and dovecot. Tested with multiple email accounts with GiB of emails. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q roundcubemail roundcubemail-1.3.16-1.mga7 $ rpm -qa | egrep '(mariadb|apache|php-fpm|dovecot)' | sort apache-2.4.46-1.mga7 apache-commons-io-2.6-3.mga7 apache-commons-logging-1.2-9.mga7 apache-mod_http2-2.4.46-1.mga7 apache-mod_php-7.3.23-1.mga7 apache-mod_proxy-2.4.46-1.mga7 apache-mod_ssl-2.4.46-1.mga7 dovecot-2.3.11.3-1.mga7 dovecot-pigeonhole-2.3.11.3-1.mga7 lib64mariadb3-10.3.27-1.mga7 mariadb-10.3.27-1.mga7 mariadb-client-10.3.27-1.mga7 mariadb-common-10.3.27-1.mga7 mariadb-common-core-10.3.27-1.mga7 mariadb-core-10.3.27-1.mga7 mariadb-extra-10.3.27-1.mga7 php-fpm-7.3.23-1.mga7 $ systemctl status httpd.service php-fpm.service dovecot.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2020-12-28 10:43:41 WET; 1h 5min ago Main PID: 3207 (httpd) Status: "Total requests: 279; Idle/Busy workers 100/0;Requests/sec: 0.0708; Bytes served/sec: 852 B/sec" Tasks: 66 (limit: 4684) Memory: 34.3M CGroup: /system.slice/httpd.service ├─3207 /usr/sbin/httpd -DFOREGROUND ├─3208 /usr/sbin/httpd -DFOREGROUND └─3209 /usr/sbin/httpd -DFOREGROUND dez 28 10:43:41 marte systemd[1]: Starting The Apache HTTP Server... dez 28 10:43:41 marte systemd[1]: Started The Apache HTTP Server. ● php-fpm.service - The PHP FastCGI Process Manager Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2020-12-28 11:40:35 WET; 8min ago Main PID: 523 (php-fpm) Status: "Processes active: 0, idle: 2, Requests: 110, slow: 0, Traffic: 0req/sec" Tasks: 3 (limit: 4684) Memory: 26.8M CGroup: /system.slice/php-fpm.service ├─523 php-fpm: master process (/etc/php-fpm.conf) ├─628 php-fpm: pool www └─660 php-fpm: pool www dez 28 11:40:35 marte systemd[1]: Starting The PHP FastCGI Process Manager... dez 28 11:40:35 marte php-fpm[523]: [NOTICE] fpm is running, pid 523 dez 28 11:40:35 marte php-fpm[523]: [NOTICE] ready to handle connections dez 28 11:40:35 marte systemd[1]: Started The PHP FastCGI Process Manager. dez 28 11:40:35 marte php-fpm[523]: [NOTICE] systemd monitor interval set to 10000ms ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2020-12-28 11:28:47 WET; 20min ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Main PID: 6325 (dovecot) Tasks: 5 (limit: 4684) Memory: 43.3M CGroup: /system.slice/dovecot.service ├─6325 /usr/sbin/dovecot -F ├─6327 dovecot/anvil ├─6328 dovecot/log ├─6330 dovecot/config └─6332 dovecot/stats dez 28 11:47:12 marte dovecot[6328]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=957, secured, session=<QJe11YS3vIn9AAAAAAEAAQAAAAAAAAAB> dez 28 11:47:12 marte dovecot[6328]: imap(pclx)<957><QJe11YS3vIn9AAAAAAEAAQAAAAAAAAAB>: Logged out in=402 out=3231 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=435 body_count=1 body_bytes=1197 dez 28 11:47:14 marte dovecot[6328]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=961, secured, session=<N3nT1YS3won9AAAAAAEAAQAAAAAAAAAB> dez 28 11:47:14 marte dovecot[6328]: imap(pclx)<961><N3nT1YS3won9AAAAAAEAAQAAAAAAAAAB>: Logged out in=444 out=8309 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=444 body_count=2 body_bytes=6012 dez 28 11:47:17 marte dovecot[6328]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=964, secured, session=<AM/61YS3xIn9AAAAAAEAAQAAAAAAAAAB> dez 28 11:47:17 marte dovecot[6328]: imap(pclx)<964><AM/61YS3xIn9AAAAAAEAAQAAAAAAAAAB>: Logged out in=444 out=8309 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=444 body_count=2 body_bytes=6012 dez 28 11:47:24 marte dovecot[6328]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=986, secured, session=<eTZo1oS34on9AAAAAAEAAQAAAAAAAAAB> dez 28 11:47:24 marte dovecot[6328]: imap(pclx)<986><eTZo1oS34on9AAAAAAEAAQAAAAAAAAAB>: Logged out in=444 out=42408 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=444 body_count=2 body_bytes=40102 dez 28 11:47:33 marte dovecot[6328]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=1023, secured, session=<7W3y1oS36on9AAAAAAEAAQAAAAAAAAAB> dez 28 11:47:33 marte dovecot[6328]: imap(pclx)<1023><7W3y1oS36on9AAAAAAEAAQAAAAAAAAAB>: Logged out in=2541 out=14397 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Whiteboard: (none) => MGA7-64-OKCC: (none) => mageia
Summary: XSS issue in roundcubemail => roundcubemail new XSS security issue CVE-2020-35730
Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory pushed to SVN.
Keywords: (none) => advisoryComponent: RPM Packages => SecurityCC: (none) => ouaurelienSource RPM: roundcubemail => roundcubemail-1.3.15-1.mga7.src.rpmQA Contact: (none) => securityCVE: (none) => CVE-2020-35730
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0481.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Debian has issued an advisory for this on December 28: https://www.debian.org/security/2020/dsa-4821