Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 570336 (CVE-2015-8770) - <mail-client/roundcube-1.1.4: Remote Code Execution (CVE-2015-8770)
Summary: <mail-client/roundcube-1.1.4: Remote Code Execution (CVE-2015-8770)
Status: RESOLVED FIXED
Alias: CVE-2015-8770
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.htbridge.com/advisory/HTB...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-31 07:22 UTC by Yury German
Modified: 2016-03-09 09:32 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 07:22:52 UTC
Remote Code Execution Vulnerability has been discovered, and will be disclosed on: January 11, 2016
Comment 1 Aaron W. Swenson gentoo-dev 2016-01-14 18:56:18 UTC
commit 8a3bcf93eba9de75950be6b0cf1c09b3edf36171
Author: Aaron W. Swenson <titanofold@gentoo.org>
Date:   Thu Jan 14 13:45:54 2016 -0500

    mail-client/roundcube: Version Bump
    
    Version bump fixes bug 570834 and addresses multiple security bugs.
    
    Bug: 570834,564476,570336
    
    Package-Manager: portage-2.2.20.1

Stabilization targets:
=mail-client/roundcube-1.1.4 ~amd64 ~hppa ~ppc ~sparc ~x86

Stabilization targets pending resolution of 571920:
=mail-client/roundcube-1.1.4 ~arm ~ppc64
Comment 2 Agostino Sarubbo gentoo-dev 2016-01-17 17:07:51 UTC
ppc stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2016-01-18 04:51:34 UTC
Why is PPC64 even here?
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-01-18 04:52:26 UTC
Same for HPPA.
Comment 5 Andreas Schürch gentoo-dev 2016-01-20 15:34:41 UTC
x86 done
Comment 6 Agostino Sarubbo gentoo-dev 2016-01-21 11:20:34 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-01-21 11:20:51 UTC
sparc has nothing to do here
Comment 8 Agostino Sarubbo gentoo-dev 2016-01-21 13:20:52 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 9 Aaron W. Swenson gentoo-dev 2016-01-21 13:56:37 UTC
commit fddb2b8c50395843639b43ea9a908a94bc887924
Author: Aaron W. Swenson <titanofold@gentoo.org>
Date:   Thu Jan 21 08:51:17 2016 -0500

    mail-client/roundcube: Remove Insecure Versions
    
    Removed insecure versions 1.0.5, 1.0.6, and 1.1.3.
    
    Bug: 554866, 564476, 570336
    
    Package-Manager: portage-2.2.26
Comment 10 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-08 20:35:41 UTC
New GLSA request filed
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-05 09:26:23 UTC
CVE has been published. Removing block as this is all in one GLSA across multiple versions.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-03-09 09:32:40 UTC
This issue was resolved and addressed in
 GLSA 201603-03 at https://security.gentoo.org/glsa/201603-03
by GLSA coordinator Sergey Popov (pinkbyte).