From ${URL} : An XSS vulnerability in roundcubemail was found when drag-n-dropping a file with crafted filename, e.g. '><img src=x onerror=alert(1);>. Upstream bug: http://trac.roundcube.net/ticket/1490530 Upstream patch: http://trac.roundcube.net/changeset/dd7db2179/github @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
I'll add arches in a day or so to make sure no issues crop up. commit c20f39cdcba8d3f75fcd7d6c09e80d2ee0655e40 Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Wed Dec 9 07:44:37 2015 -0500 mail-client/roundcube: Version bump, security, and bug fixes Added two use flags controlling optional dependencies to support the enigma and and sieverules plugins. Added REQUIRED_USE as one of postgres, mysql, or sqlite must be enabled. Rouncube requires a database to operate. As the ebuild uses this now, removed the default enable on the mysql USE flag. Added POST-UPGRADE.txt which is just a shortened version of the UPGRADE text from upstream. Dropped arm and ppc64 keywords as one dependency, dev-php/PEAR-Net_LDAP2, currently lacks matching keywords for those architectures. Bug: 541172, 545096, 524192, 564476, 565204, 53284 Package-Manager: portage-2.2.20.1
I made a typo in my previous commit. The last bug number is 532844.
*** Bug 565204 has been marked as a duplicate of this bug. ***
Arch teams, stabilization target is: =mail-client/roundcube-1.1.3 Thank you.
(In reply to Aaron W. Swenson from comment #4) > Arch teams, stabilization target is: > > =mail-client/roundcube-1.1.3 Questions about the Keywords for this 1.1.3 is: +KEYWORDS="~amd64 ~hppa ~ppc ~sparc ~x86" Previous Builds have keywords of: KEYWORDS="amd64 arm ~hppa ppc ~ppc64 ~sparc x86" So we are missing (arm, ~ppc64). Are we removing them?
>>> Creating Manifest for /home/zlogene/gentoo/mail-client/roundcube dependency.bad [fatal] 25 mail-client/roundcube/roundcube-1.1.3.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=dev-php/PEAR-Mail_Mime-1.8.9'] mail-client/roundcube/roundcube-1.1.3.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=dev-php/PEAR-Mail_Mime-1.8.9'] mail-client/roundcube/roundcube-1.1.3.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop/gnome) ['>=dev-php/PEAR-Mail_Mime-1.8.9'] mail-client/roundcube/roundcube-1.1.3.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop/gnome/systemd) ['>=dev-php/PEAR-Mail_Mime-1.8.9'] mail-client/roundcube/roundcube-1.1.3.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop/kde) ['>=dev-php/PEAR-Mail_Mime-1.8.9'] mail-client/roundcube/roundcube-1.1.3.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop/kde/systemd) ['>=dev-php/PEAR-Mail_Mime-1.8.9'] mail-client/roundcube/roundcube-1.1.3.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop/plasma) ['>=dev-php/PEAR-Mail_Mime-1.8.9'] mail-client/roundcube/roundcube-1.1.3.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop/plasma/systemd) ['>=dev-php/PEAR-Mail_Mime-1.8.9'] mail-client/roundcube/roundcube-1.1.3.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/developer) ['>=dev-php/PEAR-Mail_Mime-1.8.9'] mail-client/roundcube/roundcube-1.1.3.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/systemd) ['>=dev-php/PEAR-Mail_Mime-1.8.9'] mail-client/roundcube/roundcube-1.1.3.ebuild: RDEPEND: x86(default/linux/x86/13.0) ['>=dev-php/PEAR-Mail_Mime-1.8.9'] mail-client/roundcube/roundcube-1.1.3.ebuild: RDEPEND: x86(default/linux/x86/13.0/desktop) ['>=dev-php/PEAR-Mail_Mime-1.8.9']
(In reply to Yury German from comment #5) > (In reply to Aaron W. Swenson from comment #4) > > Arch teams, stabilization target is: > > > > =mail-client/roundcube-1.1.3 > > Questions about the Keywords for this 1.1.3 is: > +KEYWORDS="~amd64 ~hppa ~ppc ~sparc ~x86" > > Previous Builds have keywords of: > KEYWORDS="amd64 arm ~hppa ppc ~ppc64 ~sparc x86" > So we are missing (arm, ~ppc64). Are we removing them? Yes, as I mentioned in the commit message, but should have reiterated, dev-php/PEAR-Net_LDAP2, which is one of the optional dependencies, currently lacks matching keywords for those architectures. I don't know how or why the previous versions of roundcube were stabilized given that the arm and ppc64 weren't dropped from dev-php/PEAR-Net_LDAP2 and older versions of roundcube have it as a dependency. (In reply to Mikle Kolyada from comment #6) > >>> Creating Manifest for /home/zlogene/gentoo/mail-client/roundcube > dependency.bad [fatal] 25 > > mail-client/roundcube/roundcube-1.1.3.ebuild: RDEPEND: > amd64(default/linux/amd64/13.0) > > ['>=dev-php/PEAR-Mail_Mime-1.8.9'] > > mail-client/roundcube/roundcube-1.1.3.ebuild: RDEPEND: > amd64(default/linux/amd64/13.0/desktop) I forgot about that. I've opened another bug to get dev-php/PEAR-Mail_Mime-1.9.0 stabled.
Just to note, this is one reason why I often maintain(ed) both the old and newer upstream versions (in this case 1.0.7 and 1.1.3). That way 1.0.7 should be able to go stable quickly since it doesn't have any new deps and 1.1.3 can sit and get more testing.
(In reply to Aaron W. Swenson from comment #7) > Yes, as I mentioned in the commit message, but should have reiterated, > dev-php/PEAR-Net_LDAP2, which is one of the optional dependencies, currently > lacks matching keywords for those architectures. > > I don't know how or why the previous versions of roundcube were stabilized > given that the arm and ppc64 weren't dropped from dev-php/PEAR-Net_LDAP2 and > older versions of roundcube have it as a dependency. At some point either I or someone else obviously missed it. Regarding your REQUIRED_USE change, you should still have a default choice selected for the db backend. That way things like `ebuild fetch` work by default and people doing automated tinderbox tests don't have to make choices.
Fresh install with nothing pre-installed(mysql/apache/php) the ebuild pulls in php without the apache2 flag so there is no apache php module.
(In reply to Craig from comment #10) > Fresh install with nothing pre-installed(mysql/apache/php) the ebuild pulls > in php without the apache2 flag so there is no apache php module. Separate bug will be filed, not blocking security stable. No further comment required (AMD64 arch test mentor).
Why is HPPA CC'd here?
(In reply to Jeroen Roovers from comment #12) > Why is HPPA CC'd here? Because HPPA isn't shown as an unstable architecture in Bugzilla, and it has a keyword in this package. However, I'm seeing that sparc hasn't been stabled on this package either. Is there a reason HPPA and sparc shouldn't be CC'd and that we shouldn't stable on those arches?
Architectures with only unstable keywords on a package don't get security treatment.
amd64 stable
x86 stable
ppc stable
Additional vulnerabilities have been found. The newly released version 1.1.4 fixes these issues: https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/
New Bug has been created for the vulnerability (Bug # 570336), set as dependency.
My fault, should of been blocker
commit 8a3bcf93eba9de75950be6b0cf1c09b3edf36171 Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Thu Jan 14 13:45:54 2016 -0500 mail-client/roundcube: Version Bump Version bump fixes bug 570834 and addresses multiple security bugs. Bug: 570834,564476,570336 Package-Manager: portage-2.2.20.1 Stabilization targets: =mail-client/roundcube-1.1.4 ~amd64 ~hppa ~ppc ~sparc ~x86 Stabilization targets pending resolution of 571920: =mail-client/roundcube-1.1.4 ~arm ~ppc64
arm stable, all arches done.
commit fddb2b8c50395843639b43ea9a908a94bc887924 Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Thu Jan 21 08:51:17 2016 -0500 mail-client/roundcube: Remove Insecure Versions Removed insecure versions 1.0.5, 1.0.6, and 1.1.3. Bug: 554866, 564476, 570336 Package-Manager: portage-2.2.26
Assigned to GLSA 74a1a7303
This issue was resolved and addressed in GLSA 201603-03 at https://security.gentoo.org/glsa/201603-03 by GLSA coordinator Sergey Popov (pinkbyte).