Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 308065 (CVE-2010-0464)

Summary: <mail-client/roundcube-0.4: DNS prefetching information leak (CVE-2010-0464)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: bug, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://trac.roundcube.net/ticket/1486449
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:52:45 UTC 
CVE-2010-0464 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0464):
  Roundcube 0.3.1 and earlier does not request that the web browser
  avoid DNS prefetching of domain names contained in e-mail messages,
  which makes it easier for remote attackers to determine the network
  location of the webmail user by logging DNS requests.
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-04-28 00:21:56 UTC 
FYI: Patch exists.

http://trac.roundcube.net/changeset/3293
Comment 2 Tim Harder gentoo-dev 2010-09-28 05:38:46 UTC 
I've added a new revision in the tree that applies a version of the upstream patch. 

I'll leave this bug open until the new revision or newer version is stabilized.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-09-28 18:13:57 UTC 
Arches, please test and mark stable:
=mail-client/roundcube-0.4
Target keywords : "amd64 arm ppc ppc64 x86"
Comment 4 Tim Harder gentoo-dev 2010-09-30 18:28:04 UTC 
If it's not too late, can we move to stabilizing roundcube-0.4.1 instead? It was released and added to the tree less than a day after your first stable request.
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-09-30 19:03:02 UTC 
(In reply to comment #4)
> If it's not too late, can we move to stabilizing roundcube-0.4.1 instead? It
> was released and added to the tree less than a day after your first stable
> request.
> 

Only if it fixed a showstopper bug in 0.4. Early stabilizations are granted for security updates only, however in the case of a serious regression, the stable target can be reconsidered, but that's a decision to be made for the specific case.
Comment 6 Tim Harder gentoo-dev 2010-09-30 21:09:23 UTC 
(In reply to comment #5)
> Only if it fixed a showstopper bug in 0.4. Early stabilizations are granted for
> security updates only, however in the case of a serious regression, the stable
> target can be reconsidered, but that's a decision to be made for the specific
> case.

I don't think I'd call any of bugs that were fixed showstoppers so stabilizing roundcube-0.4 is fine.
Comment 7 Andreas Schürch gentoo-dev 2010-10-01 11:46:53 UTC 
I tested mail-client/roundcube-0.4 on x86 against my dovecot imap server and it seems to work flawless!
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2010-10-03 16:21:03 UTC 
amd64 done
Comment 9 Markus Meier gentoo-dev 2010-10-05 19:09:44 UTC 
x86 stable, thanks Andreas
Comment 10 Brent Baude (RETIRED) gentoo-dev 2010-10-08 14:24:01 UTC 
ppc64 done
Comment 11 Brent Baude (RETIRED) gentoo-dev 2010-10-08 14:56:47 UTC 
ppc done
Comment 12 Markus Meier gentoo-dev 2010-10-10 20:51:19 UTC 
arm stable, all arches done.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-10 22:55:49 UTC 
Just a minor information leak. Closing noglsa, feel free to reopen.

Can you please remove the older, vulnerable versions?
Comment 14 Tim Harder gentoo-dev 2010-10-11 00:56:45 UTC 
(In reply to comment #13)
> Can you please remove the older, vulnerable versions?

Done.
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-11 02:27:13 UTC 
Thanks! :)