Roundcube 1.2.3 has been released. It's a bug fix & security release. Security details from the release summary: ======================================================================= "Included is a fix for a recently reported security issue when using PHP’s mail() function. It has been discovered by Robin Peraglie using RIPS and more details along with a CVE number will be pulished shortly." ======================================================================= These traditionally work fine by just renaming the last ebuild. (I'll report back shortly after I try locally.) Changelog: https://github.com/roundcube/roundcubemail/wiki/Changelog#release-123
Can confirm: just renaming roundcube-1.2.2.ebuild to roundcube-1.2.3.ebuild worked just fine for me.
Converting this report into a security bug. Thanks for the report!
CVE-2016-9920 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9920): steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.
I bumped the package, https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec8ab56776b3bf6fd4d5faee022ffeaa9bd6c423 @ Arches, please test and mark stable: =mail-client/roundcube-1.2.3
amd64 stable
x86 stable
arm stable, all arches done.
New GLSA created. @ Maintainer(s): Please cleanup!
(In reply to Thomas Deutschmann from comment #8) > New GLSA created. > > @ Maintainer(s): Please cleanup! Done
This issue was resolved and addressed in GLSA 201612-44 at https://security.gentoo.org/glsa/201612-44 by GLSA coordinator Aaron Bauman (b-man).