618322 – (CVE-2017-8114) <mail-client/roundcube-1.2.5: arbitrary password resets by authenticated users. (CVE-2017-8114)

Bug 618322 (CVE-2017-8114) - <mail-client/roundcube-1.2.5: arbitrary password resets by authenticated users. (CVE-2017-8114)

Summary: <mail-client/roundcube-1.2.5: arbitrary password resets by authenticated user...

Status:	RESOLVED FIXED

Alias:	CVE-2017-8114

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B3 [glsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-05-12 23:09 UTC by Volkan
Modified:	2017-07-08 20:21 UTC (History)
CC List:	0 users

See Also:
Package list:	mail-client/roundcube-1.2.5
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Volkan 2017-05-12 23:09:59 UTC

Roundcube Webmail allows arbitrary password resets by authenticated
users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and
1.2.x before 1.2.5. The problem is caused by an improperly restricted
exec call in the virtualmin and sasl drivers of the password plugin.

External References:

https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2017-06-04 21:03:29 UTC

CVE-2017-8114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8114):
  Roundcube Webmail allows arbitrary password resets by authenticated users.
  This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before
  1.2.5. The problem is caused by an improperly restricted exec call in the
  virtualmin and sasl drivers of the password plugin.

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-04 21:08:24 UTC

Now in repository via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cacce1c76fc3f72971acc28703d0df7059d69936


@ Arches,

please test and mark stable: =mail-client/roundcube-1.2.5

Comment 3 Agostino Sarubbo gentoo-dev

2017-06-05 11:06:17 UTC

amd64 stable

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-05 14:30:55 UTC

x86 stable

Comment 5 Markus Meier gentoo-dev

2017-06-08 05:08:50 UTC

arm stable, all arches done.

Comment 6 Aaron W. Swenson gentoo-dev

2017-06-19 10:36:20 UTC

Insecure version removed.

commit d73891e8c36797684cf8dad8d9c04fd0ea0209e8 (HEAD -> master, origin/master, origin/HEAD)
Author: Aaron W. Swenson <titanofold@gentoo.org>
Date:   Mon Jun 19 06:35:20 2017 -0400

    mail-client/roundcube: Remove Insecure 1.2.4
    
    Bug: 618322
    
    Package-Manager: Portage-2.3.5, Repoman-2.3.1

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-19 11:24:46 UTC

GLSA Vote: Yes

New GLSA request filed.

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2017-07-08 20:21:07 UTC

This issue was resolved and addressed in
 GLSA 201707-11 at https://security.gentoo.org/glsa/201707-11
by GLSA coordinator Thomas Deutschmann (whissi).