Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 534766 (CVE-2014-9587)

Summary: <mail-client/roundcube-1.0.5: Possible CSRF attacks to some address book operations as well as to the ACL and Managesieve plugins (CVE-2014-9587,CVE-2015-1433)
Product: Gentoo Security Reporter: Philippe Chaintreuil <gentoo_bugs_peep>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://roundcube.net/news/2014/12/18/update-1.0.4-released/
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Philippe Chaintreuil 2015-01-05 12:52:54 UTC 
Minor bug fix version: 

 * Security: Fix possible CSRF attacks to some address book operations as well as to the ACL and Managesieve plugins.
 * Fix attachments encoded in TNEF containers (from Outlook)
 * Fix compatibility with PHP 5.2


Reproducible: Always
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-17 21:23:22 UTC 
CVE-2014-9587 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9587):
  Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube
  Webmail before 1.0.4 allow remote attackers to hijack the authentication of
  unspecified victims via unknown vectors, related to (1) address book
  operations or the (2) ACL or (3) Managesieve plugins.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2015-01-17 21:25:12 UTC 
Maintainers, please add arches when =mail-client/roundcube-1.0.4 is ready for stabilization.
Comment 3 Tim Harder gentoo-dev 2015-01-27 04:25:41 UTC 
(In reply to Sean Amoss from comment #2)
> Maintainers, please add arches when =mail-client/roundcube-1.0.4 is ready
> for stabilization.

I'd say you'd want to stabilize 1.0.5 now instead, go ahead with that.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-01-31 22:37:24 UTC 
Arches, please test and mark stable:

=mail-client/roundcube-1.0.5

Target Keywords : "amd64 arm ppc x86"

Thank you!
Comment 5 Agostino Sarubbo gentoo-dev 2015-02-01 16:37:20 UTC 
amd64 stable
Comment 6 Markus Meier gentoo-dev 2015-02-08 21:09:14 UTC 
arm stable
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-02-11 18:15:50 UTC 
CVE-2015-1433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1433):
  program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not
  properly quote strings, which allows remote attackers to conduct cross-site
  scripting (XSS) attacks via the style attribute in an email.
Comment 8 Agostino Sarubbo gentoo-dev 2015-02-15 15:08:14 UTC 
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-02-18 09:17:30 UTC 
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-02-24 00:55:10 UTC 
Maintainer(s), please drop the vulnerable version(s).

GLSA Vote: No
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-03-07 05:29:38 UTC 
Arches and Maintainer(s), Thank you for your work.
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-03-18 17:53:42 UTC 
GLSA vote: no.

Closing as [noglsa]