Fedora has issued an advisory today (November 24): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TP3Y5RXTUUOUODNG7HFEKWYNIPIT2NL4/ The issues are fixed upstream in 1.5.0: https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-released https://github.com/roundcube/roundcubemail/releases/tag/1.5.0
version 1.5.0 final pushed in mga8 src: - roundcubemail-1.5.0-1.mga8
CC: (none) => mageia, mageiaAssignee: mageia => qa-bugs
Failed to install the update. $ urpmi roundcubemail --test A requested package cannot be installed: roundcubemail-1.5.0-1.mga8.noarch (due to unsatisfied pear(TinyCPConnector.php)) Continue installation anyway? (Y/n) n $ urpmf --files /TinyCPConnector.php $ # Nothing found $ uname -a Linux marte 5.10.78-desktop-1.mga8 #1 SMP Sat Nov 6 13:40:04 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q roundcubemail roundcubemail-1.5-0.beta.2.mga8 $ cat /etc/release Mageia release 8 (Official) for x86_64
CC: (none) => mageia
Assignee: qa-bugs => mageiaStatus comment: (none) => Unsatisfied pear dependency in update candidate
we have the same deps issue in cauldron.
Fedora has issued an advisory today (January 12): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TPIGI7LQQIBILELWRDTJL5ZU3EZBYSYM/ The issue is fixed upstream in 1.5.2 (December 30): https://github.com/roundcube/roundcubemail/releases/tag/1.5.2
Summary: roundcubemail new security issues CVE-2021-4402[56] => roundcubemail new security issues CVE-2021-4402[56] and XSS issue fixed in 1.5.2
Updated roundcube mail packages fix security vulnerabilities: This update fixes two security issues found in roundcube mail. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44025 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44026 ======================== Updated packages in core/updates_testing: ======================== roundcubemail-1.5.2-1.mga8.noarch SRPM: roundcubemail-1.5.2-1.mga8.src.rpm
Status comment: Unsatisfied pear dependency in update candidate => (none)Assignee: mageia => qa-bugs
Installed and tested without issues. Have been using this update for over a week without issues so Im going to give it an OK. Please unOK if needed. Tested using a system with apache, PHP-FPM, mariadb and dovecot. Tested using large email accounts with GiB of emails. Have 2FA enabled using a 3rd party plugin: roundcubemail-plugin-twofactor_gauthenticator System: Mageia 8, x86_64, Intel CPU. $ uname -a Linux marte 5.15.16-desktop-1.mga8 #1 SMP Thu Jan 20 16:28:36 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep roundcubemail roundcubemail-1.5.2-1.mga8 $ systemctl status httpd.service php-fpm.service dovecot.service mysqld.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2022-01-26 10:24:27 WET; 1min 1s ago TriggeredBy: ● httpd.socket Main PID: 2778 (httpd) Status: "Total requests: 88; Idle/Busy workers 100/0;Requests/sec: 1.49; Bytes served/sec: 28KB/sec" Tasks: 54 (limit: 4690) Memory: 35.1M CPU: 164ms CGroup: /system.slice/httpd.service ├─2778 /usr/sbin/httpd -DFOREGROUND ├─2779 /usr/sbin/httpd -DFOREGROUND └─2780 /usr/sbin/httpd -DFOREGROUND jan 26 10:24:27 marte systemd[1]: Starting The Apache HTTP Server... jan 26 10:24:27 marte systemd[1]: Started The Apache HTTP Server. ● php-fpm.service - The PHP FastCGI Process Manager Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2022-01-26 10:24:27 WET; 1min 2s ago TriggeredBy: ● php-fpm.socket Main PID: 2833 (php-fpm) Status: "Processes active: 0, idle: 1, Requests: 7, slow: 0, Traffic: 0req/sec" Tasks: 2 (limit: 4690) Memory: 25.9M CPU: 637ms CGroup: /system.slice/php-fpm.service ├─2833 php-fpm: master process (/etc/php-fpm.conf) └─2837 php-fpm: pool www jan 26 10:24:27 marte systemd[1]: Starting The PHP FastCGI Process Manager... jan 26 10:24:27 marte php-fpm[2833]: [NOTICE] fpm is running, pid 2833 jan 26 10:24:27 marte php-fpm[2833]: [NOTICE] ready to handle connections jan 26 10:24:27 marte systemd[1]: Started The PHP FastCGI Process Manager. jan 26 10:24:27 marte php-fpm[2833]: [NOTICE] systemd monitor interval set to 10000ms ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2022-01-26 10:18:55 WET; 6min ago TriggeredBy: ● dovecot.socket Docs: man:dovecot(1) https://doc.dovecot.org/ Main PID: 1633 (dovecot) Status: "v2.3.17.1 (476cd46418) running" Tasks: 9 (limit: 4690) Memory: 38.7M CPU: 740ms CGroup: /system.slice/dovecot.service ├─1633 /usr/sbin/dovecot -F ├─1635 dovecot/anvil ├─1636 dovecot/log ├─1637 dovecot/imap-login ├─1638 dovecot/config ├─1640 dovecot/stats
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 5.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0039.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
(In reply to David Walser from comment #4) > Fedora has issued an advisory today (January 12): > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/TPIGI7LQQIBILELWRDTJL5ZU3EZBYSYM/ > > The issue is fixed upstream in 1.5.2 (December 30): > https://github.com/roundcube/roundcubemail/releases/tag/1.5.2 This is CVE-2021-46144: https://www.debian.org/lts/security/2022/dla-2878
Summary: roundcubemail new security issues CVE-2021-4402[56] and XSS issue fixed in 1.5.2 => roundcubemail new security issues CVE-2021-4402[56] and XSS issue fixed in 1.5.2 (CVE-2021-46144)