From the advisory at $URL: "A security flaw was found in the way Round Cube Webmail, a browser-based multilingual IMAP client, processed certail email-messages containing URL link in the message Subject, when the Suhosin check for dangerous PHP files inclusion was enabled. A remote attacker could send a specially-crafted email message to the victim, leading to denial of service (situation, where victim could not open their mail INBOX folder with the crafted email message present)." References: [1] http://trac.roundcube.net/ticket/1488086 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646675 [3] https://bugs.php.net/bug.php?id=55475 The upstream bug contains a backported patch for roundcube 0.5.4.
This is fixed in 0.6 that is in the tree. Please stabilize. =mail-client/roundcube-0.6 Target KEYWORDS="amd64 arm ppc ppc64 sparc x86"
amd64: all ok
amd64 ok
+ 03 Nov 2011; Tony Vroon <chainsaw@gentoo.org> roundcube-0.6.ebuild: + Marked stable on AMD64 based on arch testing by Ian "idella4" Delaney & + Agostino "ago" Sarubbo in security bug #388613.
(In reply to comment #4) > + 03 Nov 2011; Tony Vroon <chainsaw@gentoo.org> roundcube-0.6.ebuild: > + Marked stable on AMD64 based on arch testing by Ian "idella4" Delaney & > + Agostino "ago" Sarubbo in security bug #388613. This will be taking longer as the arch testers have failed to report dependencies properly. My apologies.
Now done.
x86 stable, thanks.
sparc is not stable
CVE-2011-4078 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4078): include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows remote attackers to trigger a GET request for an arbitrary URL, and cause a denial of service (resource consumption and inbox outage), via a Subject header containing only a URL, a related issue to CVE-2011-3379.
ppc/ppc64 stable
Thanks, everyone. Time for a GLSA vote.
Thanks, everyone. GLSA Vote: no.
Vote: NO. Closing noglsa.
