Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 534766 (CVE-2014-9587) - <mail-client/roundcube-1.0.5: Possible CSRF attacks to some address book operations as well as to the ACL and Managesieve plugins (CVE-2014-9587,CVE-2015-1433)
Summary: <mail-client/roundcube-1.0.5: Possible CSRF attacks to some address book oper...
Status: RESOLVED FIXED
Alias: CVE-2014-9587
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://roundcube.net/news/2014/12/18/...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-05 12:52 UTC by Philippe Chaintreuil
Modified: 2015-03-18 17:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philippe Chaintreuil 2015-01-05 12:52:54 UTC
Minor bug fix version: 

 * Security: Fix possible CSRF attacks to some address book operations as well as to the ACL and Managesieve plugins.
 * Fix attachments encoded in TNEF containers (from Outlook)
 * Fix compatibility with PHP 5.2


Reproducible: Always
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-17 21:23:22 UTC
CVE-2014-9587 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9587):
  Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube
  Webmail before 1.0.4 allow remote attackers to hijack the authentication of
  unspecified victims via unknown vectors, related to (1) address book
  operations or the (2) ACL or (3) Managesieve plugins.
Comment 2 Sean Amoss gentoo-dev Security 2015-01-17 21:25:12 UTC
Maintainers, please add arches when =mail-client/roundcube-1.0.4 is ready for stabilization.
Comment 3 Tim Harder gentoo-dev 2015-01-27 04:25:41 UTC
(In reply to Sean Amoss from comment #2)
> Maintainers, please add arches when =mail-client/roundcube-1.0.4 is ready
> for stabilization.

I'd say you'd want to stabilize 1.0.5 now instead, go ahead with that.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2015-01-31 22:37:24 UTC
Arches, please test and mark stable:

=mail-client/roundcube-1.0.5

Target Keywords : "amd64 arm ppc x86"

Thank you!
Comment 5 Agostino Sarubbo gentoo-dev 2015-02-01 16:37:20 UTC
amd64 stable
Comment 6 Markus Meier gentoo-dev 2015-02-08 21:09:14 UTC
arm stable
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-02-11 18:15:50 UTC
CVE-2015-1433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1433):
  program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not
  properly quote strings, which allows remote attackers to conduct cross-site
  scripting (XSS) attacks via the style attribute in an email.
Comment 8 Agostino Sarubbo gentoo-dev 2015-02-15 15:08:14 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-02-18 09:17:30 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2015-02-24 00:55:10 UTC
Maintainer(s), please drop the vulnerable version(s).

GLSA Vote: No
Comment 11 Yury German Gentoo Infrastructure gentoo-dev Security 2015-03-07 05:29:38 UTC
Arches and Maintainer(s), Thank you for your work.
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-03-18 17:53:42 UTC
GLSA vote: no.

Closing as [noglsa]