Summary: | <mail-client/roundcube-1.2.0: Multiple vulnerabilities (CVE-2016-4069) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Philippe Chaintreuil <gentoo_bugs_2_peep> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | normal | CC: | gentoo, hydrapolic, titanofold, vk-gentoo-bugs, web-apps | ||||||
Priority: | Normal | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | https://roundcube.net/news/2016/04/20/updates-1.1.5-and-1.0.9-published | ||||||||
Whiteboard: | B4 [noglsa cve] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Bug Depends on: | 584200 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Philippe Chaintreuil
2016-04-21 16:06:04 UTC
Multiple vulnerabilities for roundcube have been fixed in 1.1.5: http://www.openwall.com/lists/oss-security/2016/04/23/3 Fix XSS issue in SVG images handling (#4949) Protect download urls against CSRF using unique request tokens (#4957): https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115 also mentions Fix (again) security issue in DBMail driver of password plugin (CVE-2015-2181) (#4958) Created attachment 431740 [details] 1.1.5 ebuild -- fixes download url Attached an updated ebuild that just changes the SRC_URI from mirror://sourceforge/ to the new https://github.com/ location. (I tried to use mirror://github/, but that stuck a "/download/" at the base of the URL that messed it up. If someone knows how to fix that, feel free. This ebuild worked for me (1.1.4 -> 1.1.5). *** Bug 583414 has been marked as a duplicate of this bug. *** 1.2.0 has been released, which also fixes php7 compability for stable releases: https://github.com/roundcube/roundcubemail/wiki/Changelog#release-120 Created attachment 435124 [details, diff]
1.1.4 -> 1.2.0.patch
Made a 1.1.4 -> 1.2.0.ebuild.patch
Basically rename + changed EAPI to 6
No testing of USE-flags (builds for me with ssl and mysql)
Added a github pull request for 1.1.5 in hopes it makes life easier and moves this along: https://github.com/gentoo/gentoo/pull/1538 I opened a separate bug #584098 to track 1.2.0 since this 1.1.5 has specific security patches, whereas 1.2.0 has new features. Thank you for working on this, Kim Sindalsen and Philippe Chaintreuil. I also have to beg your forgiveness as I forgot to thank you in the commit. I stared at it for several minutes thinking I was forgetting something, and not being able to remember, pushed it. commit 4d31c895c86b85f0fec9effbaf37b55c8a2229fb Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Sun May 29 13:35:04 2016 -0400 mail-client/roundcube: Fix Multiple Vulnerabilities Many security issues/enhancements are resolved with this release. The most significant being: * Fix (again) security issue in DBMail driver of password plugin (CVE-2015-2181) * Fix path traversal vulnerability in setting a skin (CVE-2015-8770) * Fix XSS issue in SVG images handling * Fix XSS issue in href attribute on area tag You can find the complete list of changes in the included CHANGELOG or at: https://github.com/roundcube/roundcubemail/wiki/Changelog Bug: 580746, 584200, 584098 Package-Manager: portage-2.2.26 @Security: This bug should probably be consolidated into 584200. @ Security: Please vote! CVE-2016-4069 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4069): Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors. GLSA Vote: No |