Minor bug fix version: "delivering important bug fixes and helps protecting Roundcube against more XSS and CSRF attacks. Version 1.1.5 also has two new plugin hooks integrated [...]." Changelog: https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115 Roundcube version bumps have historically only required a ebuild copy+rename. Nothing indicates that this version would require anything more.
Multiple vulnerabilities for roundcube have been fixed in 1.1.5: http://www.openwall.com/lists/oss-security/2016/04/23/3 Fix XSS issue in SVG images handling (#4949) Protect download urls against CSRF using unique request tokens (#4957): https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115 also mentions Fix (again) security issue in DBMail driver of password plugin (CVE-2015-2181) (#4958)
Created attachment 431740 [details] 1.1.5 ebuild -- fixes download url Attached an updated ebuild that just changes the SRC_URI from mirror://sourceforge/ to the new https://github.com/ location. (I tried to use mirror://github/, but that stuck a "/download/" at the base of the URL that messed it up. If someone knows how to fix that, feel free. This ebuild worked for me (1.1.4 -> 1.1.5).
*** Bug 583414 has been marked as a duplicate of this bug. ***
1.2.0 has been released, which also fixes php7 compability for stable releases: https://github.com/roundcube/roundcubemail/wiki/Changelog#release-120
Created attachment 435124 [details, diff] 1.1.4 -> 1.2.0.patch Made a 1.1.4 -> 1.2.0.ebuild.patch Basically rename + changed EAPI to 6 No testing of USE-flags (builds for me with ssl and mysql)
Added a github pull request for 1.1.5 in hopes it makes life easier and moves this along: https://github.com/gentoo/gentoo/pull/1538
I opened a separate bug #584098 to track 1.2.0 since this 1.1.5 has specific security patches, whereas 1.2.0 has new features.
Thank you for working on this, Kim Sindalsen and Philippe Chaintreuil. I also have to beg your forgiveness as I forgot to thank you in the commit. I stared at it for several minutes thinking I was forgetting something, and not being able to remember, pushed it. commit 4d31c895c86b85f0fec9effbaf37b55c8a2229fb Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Sun May 29 13:35:04 2016 -0400 mail-client/roundcube: Fix Multiple Vulnerabilities Many security issues/enhancements are resolved with this release. The most significant being: * Fix (again) security issue in DBMail driver of password plugin (CVE-2015-2181) * Fix path traversal vulnerability in setting a skin (CVE-2015-8770) * Fix XSS issue in SVG images handling * Fix XSS issue in href attribute on area tag You can find the complete list of changes in the included CHANGELOG or at: https://github.com/roundcube/roundcubemail/wiki/Changelog Bug: 580746, 584200, 584098 Package-Manager: portage-2.2.26
@Security: This bug should probably be consolidated into 584200.
@ Security: Please vote!
CVE-2016-4069 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4069): Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors.
GLSA Vote: No