Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin. External References: https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11
CVE-2017-8114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8114): Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.
Now in repository via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cacce1c76fc3f72971acc28703d0df7059d69936 @ Arches, please test and mark stable: =mail-client/roundcube-1.2.5
amd64 stable
x86 stable
arm stable, all arches done.
Insecure version removed. commit d73891e8c36797684cf8dad8d9c04fd0ea0209e8 (HEAD -> master, origin/master, origin/HEAD) Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Mon Jun 19 06:35:20 2017 -0400 mail-client/roundcube: Remove Insecure 1.2.4 Bug: 618322 Package-Manager: Portage-2.3.5, Repoman-2.3.1
GLSA Vote: Yes New GLSA request filed.
This issue was resolved and addressed in GLSA 201707-11 at https://security.gentoo.org/glsa/201707-11 by GLSA coordinator Thomas Deutschmann (whissi).