New release of Roundcube 1.3 is available, 1.3.8. Among other things, it fixes a security issue. "This is a service release to update the stable version 1.3 of Roundcube Webmail. It contains fixes to several bugs backported from the master branch including a security fix for a reported XSS vulnerability plus updates to ensure compatibility with PHP 7.3 and recent versions of Courier-IMAP, Dovecot and MySQL 8." No CVE assigned yet. * Release notes: https://github.com/roundcube/roundcubemail/releases/tag/1.3.8 * XSS vuln issue: https://github.com/roundcube/roundcubemail/issues/6410 -- Gentoo Security Scout Vladimir Krstulja
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da4ec2b100597b0e25a43e10059ac2dbfba3dd0e commit da4ec2b100597b0e25a43e10059ac2dbfba3dd0e Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2018-11-04 11:00:31 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2018-11-04 11:00:34 +0000 mail-client/roundcube: Security Bump to 1.3.8 Resolves a XSS vulnerability. Additionally, contains updates to ensure compatibility with PHP 7.3 and recent versions of Courier-IMAP, Dovecot and MySQL 8. Bug: https://bugs.gentoo.org/669696 Package-Manager: Portage-2.3.49, Repoman-2.3.11 Signed-off-by: Aaron Swenson <titanofold@gentoo.org> mail-client/roundcube/Manifest | 1 + mail-client/roundcube/roundcube-1.3.8.ebuild | 96 ++++++++++++++++++++++++++++ 2 files changed, 97 insertions(+)
Please stabilize: =mail-client/roundcube-1.3.8 ~amd64 ~arm ~ppc ~ppc64 ~sparc ~x86
x86 stable
sparc stable
amd64 stable
arm stable
Looking good on ppc64. # cat roundcube-669696.report USE tests started on Sa 17. Nov 20:35:51 CET 2018 merging test dependencies of =mail-client/roundcube-1.3.8 failed USE='-change-password enigma ldap managesieve -mysql -postgres spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='-change-password enigma ldap managesieve mysql postgres spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='-change-password enigma ldap managesieve mysql -postgres -spell -sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='-change-password enigma -ldap -managesieve mysql -postgres spell -sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='change-password -enigma -ldap -managesieve mysql postgres -spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='-change-password -enigma -ldap managesieve mysql postgres spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='-change-password enigma -ldap managesieve mysql -postgres spell -sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='-change-password enigma ldap -managesieve mysql postgres spell -sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='change-password -enigma ldap -managesieve mysql postgres -spell sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='-change-password -enigma -ldap -managesieve mysql postgres spell sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='-change-password enigma ldap -managesieve -mysql postgres -spell -sqlite ssl vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='-change-password -enigma ldap managesieve -mysql -postgres -spell sqlite ssl vhosts' succeeded for =mail-client/roundcube-1.3.8
Looking good on ppc. # cat /mnt/mychroot/root/tatt/roundcube-669696.report USE tests started on Sa 17. Nov 15:04:06 CET 2018 merging test dependencies of =mail-client/roundcube-1.3.8 failed USE='change-password -enigma ldap -managesieve mysql -postgres -spell -sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='-change-password -enigma ldap -managesieve -mysql postgres -spell -sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='change-password -enigma ldap managesieve -mysql -postgres -spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='-change-password enigma -ldap managesieve mysql postgres -spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='change-password enigma ldap -managesieve mysql -postgres spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='change-password enigma ldap -managesieve -mysql postgres spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='-change-password -enigma -ldap managesieve -mysql postgres -spell -sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='-change-password -enigma ldap managesieve -mysql -postgres spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='change-password enigma ldap -managesieve mysql postgres spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='change-password -enigma ldap -managesieve mysql -postgres spell -sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='change-password -enigma ldap managesieve -mysql postgres spell sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.8 USE='-change-password -enigma ldap managesieve mysql -postgres spell sqlite ssl vhosts' succeeded for =mail-client/roundcube-1.3.8
ppc/ppc64 stable thanks to ernsteiswuerfel!
@maintainers, please drop the vulnerable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ccd38d0162c3dea1860773d0c53dd6c7c90c56a8 commit ccd38d0162c3dea1860773d0c53dd6c7c90c56a8 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2018-11-26 10:19:29 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2018-11-26 10:20:34 +0000 mail-client/roundcube: Remove old, insecure Bug: https://bugs.gentoo.org/669696 Package-Manager: Portage-2.3.51, Repoman-2.3.11 Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org> mail-client/roundcube/Manifest | 2 - mail-client/roundcube/roundcube-1.3.6.ebuild | 99 ---------------------------- mail-client/roundcube/roundcube-1.3.7.ebuild | 96 --------------------------- 3 files changed, 197 deletions(-)
(In reply to Larry the Git Cow from comment #11) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=ccd38d0162c3dea1860773d0c53dd6c7c90c56a8 > > commit ccd38d0162c3dea1860773d0c53dd6c7c90c56a8 > Author: Aaron W. Swenson <titanofold@gentoo.org> > AuthorDate: 2018-11-26 10:19:29 +0000 > Commit: Aaron W. Swenson <titanofold@gentoo.org> > CommitDate: 2018-11-26 10:20:34 +0000 > > mail-client/roundcube: Remove old, insecure > > Bug: https://bugs.gentoo.org/669696 > Package-Manager: Portage-2.3.51, Repoman-2.3.11 > Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org> > > mail-client/roundcube/Manifest | 2 - > mail-client/roundcube/roundcube-1.3.6.ebuild | 99 > ---------------------------- > mail-client/roundcube/roundcube-1.3.7.ebuild | 96 > --------------------------- > 3 files changed, 197 deletions(-) Thank you!