From ${URL} : From https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/ > The security-related fixes in particular are: > * XSS vulnerability in _mbox argument Fix XSS vulnerability in _mbox argument handling (#1490417 <http://trac.roundcube.net/ticket/1490417>) http://trac.roundcube.net/ticket/1490417 The XSS-vulnerability can be triggered by appending malicious script code to the _mbox-parameter. The following example will pop an alert box: https://{YOURSERVER}/?_task=mail&_mbox=INBOX%22%3E%3Cscript%3Ealert(%22Roundcube+v1.1.1+XSS%22)%3C%2Fscript%3E <https://%7BYOURSERVER%7D/?_task=mail&_mbox=INBOX%22%3E%3Cscript%3Ealert%28%22Roundcube+v1.1.1+XSS%22%29%3C%2Fscript%3E> Attackers could use this vulnerability to steal cookies or extract email-content. Commit: 1.1: http://trac.roundcube.net/changeset/b782815dac/github Not claimed to affect 1.0. > * security improvement in contact photo handling Fix security issue in contact photo handling (#1490379 <http://trac.roundcube.net/ticket/1490379>) http://trac.roundcube.net/ticket/1490379 There is a potential for an arbitrary read from an authenticated user who uploads a contact (vCard) with a specially crafted POST. [...] by supplying the "_alt" param in the POST. User must be authenticated. [...] I was able to read any file on disk (the apache has access to, e.g. config/config.inc.php) using GET request Commits: 1.1: http://trac.roundcube.net/changeset/681ba6fc3/github 1.0: http://trac.roundcube.net/changeset/6ccd4c54b/github > * potential info disclosure from temp directory Fix potential info disclosure issue by protecting directory access (#1490378 <http://trac.roundcube.net/ticket/1490378>) http://trac.roundcube.net/ticket/1490378 The logs directory is not protected from browsing. Most log entries are not bad, but one became evident on my host that was pretty nasty. It looked like the following: [25-Apr-2015 04:03:11 -0400]: <ijpv9kqo> DB Error: [1062] Duplicate entry 'ijpv9kqofvpksxxxxxxxxxxxx' for key 'PRIMARY' (SQL Query: INSERT INTO `session` (`sess_id`, `vars`, `ip`, `created`, `changed`) VALUES ('ijpv9kqofvpksxxxxxxxx', 'xxxxxxxxxxxxxxxxxxxxxxx=', '108.61.90.131', now(), now())) in /var/www/html/roundcubemail-1.1.1/program/lib/Roundcube/rcube_db.php on line 543 (POST /roundcubemail-1.1.1/?_task=mail&_action=refresh?_task=&_action=) I obfuscated the sensitive fields, but this would be enough for a non-credential user to view the file (via the webroot/logs/errors file), and then replace their own cookies with the entry from above to log in as a user that was listed there. This seems to be a very rare occurrence, but considering that other SQL/other actions might report other sensitive data into this file, it might be worth automatically protecting this directory with an .htaccess file, or prepending a php tag to avoid overt reading by any unauthenticated user. Commits: http://trac.roundcube.net/changeset/012555c1c/github 1.1: http://trac.roundcube.net/changeset/16640c7fb0c8/github Not claimed to affect 1.0. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
For 1.0.6, I just renamed the ebuild and compiled. Its been working fine for about a month.
Same here.
Any progress here please? It's a trivial bump for 1.0.6.
Tomas: I think all the attention is going to 1.1.1. I simply updated my local tree with a renamed 1.0.5 ebuild for 1.0.6
1.0.6 in the tree, 1.1.2 will come later. Arches please stabilize.
amd64 stable
x86 stable
ppc stable
arm stable, all arches done.
I'll add arches in a day or so to make sure no issues crop up. commit c20f39cdcba8d3f75fcd7d6c09e80d2ee0655e40 Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Wed Dec 9 07:44:37 2015 -0500 mail-client/roundcube: Version bump, security, and bug fixes Added two use flags controlling optional dependencies to support the enigma and and sieverules plugins. Added REQUIRED_USE as one of postgres, mysql, or sqlite must be enabled. Rouncube requires a database to operate. As the ebuild uses this now, removed the default enable on the mysql USE flag. Added POST-UPGRADE.txt which is just a shortened version of the UPGRADE text from upstream. Dropped arm and ppc64 keywords as one dependency, dev-php/PEAR-Net_LDAP2, currently lacks matching keywords for those architectures. Bug: 541172, 545096, 524192, 564476, 565204, 53284 Package-Manager: portage-2.2.20.1
commit fddb2b8c50395843639b43ea9a908a94bc887924 Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Thu Jan 21 08:51:17 2016 -0500 mail-client/roundcube: Remove Insecure Versions Removed insecure versions 1.0.5, 1.0.6, and 1.1.3. Bug: 554866, 564476, 570336 Package-Manager: portage-2.2.26
Assigned to GLSA 74a1a7303
This issue was resolved and addressed in GLSA 201603-03 at https://security.gentoo.org/glsa/201603-03 by GLSA coordinator Sergey Popov (pinkbyte).