Bug 28387 - roundcubemail security issue CVE-2021-26925
Summary: roundcubemail security issue CVE-2021-26925
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: MGA7TOO MGA7-64-OK
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-20 10:14 CET by Zombie Ryushu
Modified: 2021-02-25 16:36 CET (History)
2 users (show)

See Also:
Source RPM: roundcubemail-1.4.10-1.mga8.src.rpm
CVE: CVE-2021-26925
Status comment:


Attachments

Description Zombie Ryushu 2021-02-20 10:14:35 CET
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.
Zombie Ryushu 2021-02-20 10:14:47 CET

CVE: (none) => CVE-2021-26925

Comment 1 Aurelien Oudelet 2021-02-20 13:16:31 CET
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)


Fedora has issued an advisory for this on February 17th 2021:
for fedora 32
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5QPAMYM2DQODSCQIAVNFJR2ETG7WMJOD/

for fedora 33
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q752JPOHTR6H72FK3EIPJZ5O24Z7RGLM/

Upstream security advisory here:
https://roundcube.net/news/2021/02/08/security-update-1.4.11

Assignee: bugsquad => mageia
Status comment: (none) => Fix here: https://github.com/roundcube/roundcubemail/commit/9dc276d5f26042db02754fa1bac6fbd683c6d596
Whiteboard: (none) => MGA7TOO MGA8TOO
CC: (none) => ouaurelien

David Walser 2021-02-20 18:45:26 CET

Severity: normal => major
Status comment: Fix here: https://github.com/roundcube/roundcubemail/commit/9dc276d5f26042db02754fa1bac6fbd683c6d596 => Fixed upstream in 1.4.11

Comment 2 Marc Krämer 2021-02-21 11:16:22 CET
currently there is no new release for 1.3 branch. I don't see why we should still support the old 1.3 branch and not switching to the 1.4 branch in mga7.

An Update for mga8 is currently building and located in updates_testing.
Comment 3 Marc Krämer 2021-02-22 20:51:38 CET
Updated roundcube packages fix security vulnerabilities:

This update fixes cross-site scripting (XSS) via HTML messages with malicious CSS content.


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26925
https://roundcube.net/news/2021/02/08/security-update-1.4.11
========================

Updated packages in core/updates_testing:
========================
roundcubemail-1.4.11-1.mga7.noarch.rpm
roundcubemail-1.4.11-1.mga8.noarch.rpm

SRPM:
roundcubemail-1.4.11-1.mga7.src.rpm
roundcubemail-1.4.11-1.mga8.src.rpm

Assignee: mageia => qa-bugs

Aurelien Oudelet 2021-02-24 10:45:37 CET

Version: Cauldron => 8

Comment 4 PC LX 2021-02-25 16:27:56 CET
Installed and tested without issues.

This update has been in use for a few days.
Tested on a system with apache, php-fpm, mariadb and dovecot. 
Tested with several accounts with many thousands of emails and hundreds of folders.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.10.14-desktop-1.mga7 #1 SMP Sun Feb 7 19:36:25 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q roundcubemail
roundcubemail-1.4.11-1.mga7
$ systemctl status httpd.service php-fpm.service dovecot.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-02-25 09:44:34 WET; 5h 40min ago
 Main PID: 2608 (httpd)
   Status: "Total requests: 569; Idle/Busy workers 100/0;Requests/sec: 0.0278; Bytes served/sec: 294 B/sec"
    Tasks: 66 (limit: 4668)
   Memory: 34.8M
   CGroup: /system.slice/httpd.service
           ├─2608 /usr/sbin/httpd -DFOREGROUND
           ├─2609 /usr/sbin/httpd -DFOREGROUND
           └─2610 /usr/sbin/httpd -DFOREGROUND

fev 25 09:44:34 marte systemd[1]: Starting The Apache HTTP Server...
fev 25 09:44:34 marte systemd[1]: Started The Apache HTTP Server.

● php-fpm.service - The PHP FastCGI Process Manager
   Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-02-25 14:50:21 WET; 35min ago
 Main PID: 28603 (php-fpm)
   Status: "Processes active: 0, idle: 2, Requests: 115, slow: 0, Traffic: 0req/sec"
    Tasks: 3 (limit: 4668)
   Memory: 46.8M
   CGroup: /system.slice/php-fpm.service
           ├─28603 php-fpm: master process (/etc/php-fpm.conf)
           ├─28839 php-fpm: pool www
           └─28903 php-fpm: pool www

fev 25 14:50:21 marte systemd[1]: Starting The PHP FastCGI Process Manager...
fev 25 14:50:21 marte php-fpm[28603]: [NOTICE] fpm is running, pid 28603
fev 25 14:50:21 marte php-fpm[28603]: [NOTICE] ready to handle connections
fev 25 14:50:21 marte systemd[1]: Started The PHP FastCGI Process Manager.
fev 25 14:50:21 marte php-fpm[28603]: [NOTICE] systemd monitor interval set to 10000ms
fev 25 14:50:26 marte phpMyAdmin[28635]: user denied: root (mysql-denied) from ::1

● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-02-25 09:41:20 WET; 5h 44min ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
 Main PID: 2464 (dovecot)
    Tasks: 9 (limit: 4668)
   Memory: 21.4M
   CGroup: /system.slice/dovecot.service
           ├─ 2464 /usr/sbin/dovecot -F
           ├─ 2466 dovecot/anvil
           ├─ 2467 dovecot/log
           ├─ 2469 dovecot/config
           ├─ 2470 dovecot/stats
           ├─23408 dovecot/imap-login
           ├─23410 dovecot/imap
           ├─29670 dovecot/auth
           └─29671 dovecot/auth -w

fev 25 15:20:53 marte dovecot[2467]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00::1, lip=fd00::1, mpid=29821, secured, session=<sQuJsiq8loX9AAAAAAAAAAAAAAAAAAAB>

Whiteboard: MGA7TOO MGA8TOO => MGA7TOO MGA8TOO MGA7-64-OK
CC: (none) => mageia

Comment 5 David Walser 2021-02-25 16:36:50 CET
The Mageia 8 update probably needs to be re-pushed if updates_testing was wiped as usual.

Status comment: Fixed upstream in 1.4.11 => (none)
Whiteboard: MGA7TOO MGA8TOO MGA7-64-OK => MGA7TOO MGA7-64-OK


Note You need to log in before you can comment on or make changes to this bug.