* Fixed in 1.4.4, 1.3.11, 1.2.10 (not in tree) - Cross-Site Scripting (XSS) via malicious HTML content - CSRF attack can cause an authenticated user to be logged out - Remote code execution via crafted config options - Path traversal vulnerability allowing local file inclusion via crafted ‘plugins’ option URL: https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10 (Note that upstream say the latter two are only possible with public installer so unlikely in production.) * Fixed in 1.3.10 - Fix bug where it was possible to bypass the position:fixed CSS check in received messages (6898) - Fix bug where some strict remote URIs in url() style were unintentionally blocked (6899) - Fix bug where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class (6897) - Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (6896) URL: https://github.com/roundcube/roundcubemail/releases/tag/1.3.10
@maintainer(s), please bump to 1.4.4 and 1.3.11.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08d3ce13b04dd7fb41103d143630e2751f36faf8 commit 08d3ce13b04dd7fb41103d143630e2751f36faf8 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-05-11 10:50:56 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-05-11 10:52:09 +0000 mail-client/roundcube: bump to v1.311 Bug: https://bugs.gentoo.org/720876 Closes: https://bugs.gentoo.org/720144 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> mail-client/roundcube/Manifest | 1 + mail-client/roundcube/roundcube-1.3.11.ebuild | 97 +++++++++++++++++++++++++++ 2 files changed, 98 insertions(+)
x86 stable
sparc stable
@amd64, ping
PPC, PPC64, ARM, AMD64?
arm stable
Looking good on ppc64. # cat roundcube-720876.report USE tests started on Sa 27. Jun 13:39:23 CEST 2020 FEATURES=' test' USE='mysql' succeeded for =mail-client/roundcube-1.3.11 USE='-change-password enigma -ldap -managesieve mysql postgres spell -sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='-change-password enigma ldap managesieve mysql postgres spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='-change-password -enigma -ldap -managesieve -mysql postgres -spell -sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='-change-password enigma -ldap -managesieve -mysql -postgres -spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='change-password enigma ldap -managesieve mysql postgres -spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='change-password -enigma -ldap managesieve -mysql -postgres spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='-change-password -enigma ldap managesieve mysql -postgres spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='-change-password -enigma -ldap managesieve mysql postgres spell -sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='-change-password enigma ldap managesieve -mysql -postgres spell sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='change-password enigma -ldap -managesieve mysql postgres spell sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='change-password enigma -ldap managesieve mysql -postgres -spell sqlite ssl vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='change-password enigma ldap managesieve -mysql -postgres spell sqlite ssl vhosts' succeeded for =mail-client/roundcube-1.3.11
Looking good on ppc. # cat roundcube-720876.report USE tests started on Sa 27. Jun 17:52:40 CEST 2020 FEATURES=' test' USE='mysql' succeeded for =mail-client/roundcube-1.3.11 USE='-change-password -enigma -ldap -managesieve mysql postgres spell -sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='change-password enigma -ldap managesieve mysql -postgres -spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='change-password enigma -ldap managesieve mysql postgres spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='-change-password enigma ldap managesieve mysql -postgres spell -sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='-change-password -enigma ldap -managesieve -mysql postgres spell -sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='change-password enigma -ldap -managesieve -mysql -postgres spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='change-password -enigma ldap managesieve mysql postgres -spell -sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='-change-password -enigma -ldap managesieve mysql postgres -spell sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='change-password enigma ldap -managesieve mysql -postgres spell sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='-change-password enigma ldap managesieve mysql postgres spell sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='change-password -enigma -ldap -managesieve mysql postgres -spell sqlite ssl vhosts' succeeded for =mail-client/roundcube-1.3.11 USE='-change-password -enigma -ldap managesieve -mysql postgres spell sqlite ssl vhosts' succeeded for =mail-client/roundcube-1.3.11
ppc/ppc64 stable thanks to ernsteiswuerfel \o/
amd64: ping
amd64 stable ---- Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=637bca0e8feef63e8d6578d81bf342ac1d8e1e65 commit 637bca0e8feef63e8d6578d81bf342ac1d8e1e65 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2020-07-23 20:31:54 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2020-07-23 20:39:56 +0000 mail-client/roundcube: Cleanup Bug: https://bugs.gentoo.org/720876 Bug: https://bugs.gentoo.org/726944 Closes: https://bugs.gentoo.org/705388 Package-Manager: Portage-2.3.99, Repoman-2.3.23 Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org> mail-client/roundcube/Manifest | 7 -- mail-client/roundcube/roundcube-1.3.10.ebuild | 96 --------------------------- mail-client/roundcube/roundcube-1.3.8.ebuild | 96 --------------------------- mail-client/roundcube/roundcube-1.3.9.ebuild | 96 --------------------------- mail-client/roundcube/roundcube-1.4.0.ebuild | 73 -------------------- mail-client/roundcube/roundcube-1.4.1.ebuild | 73 -------------------- mail-client/roundcube/roundcube-1.4.2.ebuild | 73 -------------------- mail-client/roundcube/roundcube-1.4.3.ebuild | 73 -------------------- 8 files changed, 587 deletions(-)
This issue was resolved and addressed in GLSA 202007-41 at https://security.gentoo.org/glsa/202007-41 by GLSA coordinator Sam James (sam_c).
