Fedora has issued an advisory on August 21: http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085777.html It looks like an issue is fixed upstream in 0.7.3, and they patched another one. More info is on the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=849615
CC: (none) => mageiaWhiteboard: (none) => MGA2TOO
Fixed in Cauldron by Damien. Mageia 2 pending.
Version: Cauldron => 2Whiteboard: MGA2TOO => (none)
Assignee: bugsquad => mageia
Mageia 2 update in progress. Damien updated it to 0.7.3, now it just needs the patch: http://pkgs.fedoraproject.org/cgit/roundcubemail.git/plain/roundcubemail-0.7.3-xss-sig.patch?h=f17&id=ac0541ca40878a5daf0fcae3457c41239b308462
Advisory: ------------- This update of roundcubemail is a bugfix and security (XSS signature) update. Packages: ------------- roundcubemail-0.7.3-1.mga2.src.rpm How to test: ------------- - Install roundcube in Mageia 2. - Configure it. - Install the update package and check it's still working as expected. FYI: - here is the ChangeLog: http://trac.roundcube.net/wiki/Changelog#Release0.7.3 - here is the XSS patch: https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
Status: NEW => ASSIGNEDAssignee: mageia => qa-bugsSummary: roundcubemail new security issues fixed in 0.8.1 => [Update Request] roundcubemail - Bugfix and Security issues fixed in 0.7.3 + patchSource RPM: roundcubemail-0.7.2-1.mga2.src.rpm => roundcubemail-0.7.3-2.mga2.src.rpm
Thanks Damien! Just to flesh out the advisory, this fixes two CVEs: Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email (CVE-2012-3508). Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the signature in an email (CVE-2012-4668). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4668 http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085777.html http://trac.roundcube.net/wiki/Changelog#Release0.7.3
Status: ASSIGNED => NEW
tested on i586 and x86_64. Could not reproduce XSS vulnerability neither in previous version of Core-Updates nor in Updates_testing. No regression detected. Updates validated. Advisory ======== Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email (CVE-2012-3508). Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the signature in an email (CVE-2012-4668). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4668 http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085777.html http://trac.roundcube.net/wiki/Changelog#Release0.7.3 src rpm: roundcubemail-0.7.3-1.mga2.src.rpm Could someone of sysadmin team push to Core_Updates. Thanks!
Keywords: (none) => validated_updateCC: (none) => marc.lattemann, sysadmin-bugsWhiteboard: (none) => MGA2-32-OK, MGA2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0292
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
I'm confused here since CVE-2012-3508 and CVE-2012-4668 has not been fixed yet. https://bugzilla.redhat.com/show_bug.cgi?id=849615#c7 However after researching this today, all issues has been fixed in 0.8.6.
CC: (none) => oe
That comment doesn't say it's not fixed. I don't know why that particular bug is still open, but this bug is the Fedora tracker for those issues: https://bugzilla.redhat.com/show_bug.cgi?id=849616 It was closed when they issued the same update that we did.