Minor bug fix version: "delivering important bug fixes and helps protecting Roundcube against more XSS and CSRF attacks. Version 1.1.5 also has two new plugin hooks integrated [...]."
Roundcube version bumps have historically only required a ebuild copy+rename. Nothing indicates that this version would require anything more.
Multiple vulnerabilities for roundcube have been fixed in 1.1.5:
Fix XSS issue in SVG images handling (#4949)
Protect download urls against CSRF using unique request tokens (#4957):
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115 also mentions
Fix (again) security issue in DBMail driver of password plugin (CVE-2015-2181) (#4958)
Created attachment 431740 [details]
1.1.5 ebuild -- fixes download url
Attached an updated ebuild that just changes the SRC_URI from mirror://sourceforge/ to the new https://github.com/ location. (I tried to use mirror://github/, but that stuck a "/download/" at the base of the URL that messed it up. If someone knows how to fix that, feel free.
This ebuild worked for me (1.1.4 -> 1.1.5).
*** Bug 583414 has been marked as a duplicate of this bug. ***
1.2.0 has been released, which also fixes php7 compability for stable releases:
Created attachment 435124 [details, diff]
1.1.4 -> 1.2.0.patch
Made a 1.1.4 -> 1.2.0.ebuild.patch
Basically rename + changed EAPI to 6
No testing of USE-flags (builds for me with ssl and mysql)
Added a github pull request for 1.1.5 in hopes it makes life easier and moves this along: https://github.com/gentoo/gentoo/pull/1538
I opened a separate bug #584098 to track 1.2.0 since this 1.1.5 has specific security patches, whereas 1.2.0 has new features.
Thank you for working on this, Kim Sindalsen and Philippe Chaintreuil. I also have to beg your forgiveness as I forgot to thank you in the commit. I stared at it for several minutes thinking I was forgetting something, and not being able to remember, pushed it.
Author: Aaron W. Swenson <firstname.lastname@example.org>
Date: Sun May 29 13:35:04 2016 -0400
mail-client/roundcube: Fix Multiple Vulnerabilities
Many security issues/enhancements are resolved with this release. The
most significant being:
* Fix (again) security issue in DBMail driver of password plugin (CVE-2015-2181)
* Fix path traversal vulnerability in setting a skin (CVE-2015-8770)
* Fix XSS issue in SVG images handling
* Fix XSS issue in href attribute on area tag
You can find the complete list of changes in the included CHANGELOG or at:
Bug: 580746, 584200, 584098
@Security: This bug should probably be consolidated into 584200.
@ Security: Please vote!
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before
1.1.5 allows remote attackers to hijack the authentication of users for
requests that download attachments and cause a denial of service (disk
consumption) via unspecified vectors.
GLSA Vote: No