Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 463554 (CVE-2013-1904) - <mail-client/roundcube-0.8.6: generic_message_footer File disclosure (CVE-2013-1904)
Summary: <mail-client/roundcube-0.8.6: generic_message_footer File disclosure (CVE-201...
Alias: CVE-2013-1904
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2013-03-28 00:55 UTC by Philippe Chaintreuil
Modified: 2013-10-06 15:28 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Philippe Chaintreuil 2013-03-28 00:55:05 UTC
Roundcube has released a bug fix version of their new 0.8.x line.  Contains a bug fix for "a recently reported vulnerability that allows an attacker to access files on the server."  (Attacker in this case is a user of your mail system, not a random joe from anywhere.)

I haven't tried yet, but usually just renaming the last ebuild is all roundcube needs to be updated.

Reproducible: Always

Security issue, so I'm going to mark critical.  Let me know if I shouldn't have.
Comment 1 Philippe Chaintreuil 2013-03-28 01:01:46 UTC
I just noticed that we've added 0.9 beta & RC1 to the tree.  It looks like they've released 0.9 RC2 to address this.
Comment 2 Tim Harder gentoo-dev 2013-03-28 02:43:27 UTC
Arches please stabilize:
Comment 3 Vicente Olivert Riera (RETIRED) gentoo-dev 2013-03-28 14:49:47 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-03-30 09:37:29 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-03-30 12:58:33 UTC
x86 stable
Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2013-03-31 14:49:49 UTC
Ready for vote, I vote NO.
Comment 7 Agostino Sarubbo gentoo-dev 2013-04-02 12:09:34 UTC
arm stable
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-06 21:13:55 UTC
GLSA vote: no. 

Closing noglsa.