Roundcube 1.3.6 has been released. It's addresses CVE-2018-9846. "It primarily fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846." These usually work by just renaming the existing ebuild. Announcement: https://roundcube.net/news/2018/04/11/security-update-1.3.6 Changelog: https://github.com/roundcube/roundcubemail/releases/tag/1.3.6 CVE: https://nvd.nist.gov/vuln/detail/CVE-2018-9846
Can confirm that just renaming the existing 1.3.4 ebuild to 1.3.6 works fine for me.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c769016cc36b9803c40f093f3ab9831529ded12 commit 2c769016cc36b9803c40f093f3ab9831529ded12 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2018-04-27 19:41:26 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2018-04-27 19:41:26 +0000 mail-client/roundcube: Bump to 1.3.6 Fixes a security issue related to IMAP command injection. Fixes a XSS concern. Bug: https://bugs.gentoo.org/651124 Bug: https://bugs.gentoo.org/653044 Package-Manager: Portage-2.3.24, Repoman-2.3.6 mail-client/roundcube/Manifest | 1 + mail-client/roundcube/roundcube-1.3.6.ebuild | 99 ++++++++++++++++++++++++++++ 2 files changed, 100 insertions(+)}
Please stabilize the following target: =mail-client/roundcube-1.3.6 ~amd64 ~arm ~ppc ~ppc64 ~x86
This CVE has been addressed in the 1.2.x line as well. I just added bug #654220 to track that.
*** Bug 654220 has been marked as a duplicate of this bug. ***
(In reply to Philippe Chaintreuil from comment #4) > This CVE has been addressed in the 1.2.x line as well. I just added bug > #654220 to track that. I think we'll drop 1.2 as soon as this is stabled.
amd64 stable
GLSA Vote: No @maintainer(s), please clean the vulnerable versions.
stabled per ALLARCH: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d130de22d462c0d7f4faa6a5bd972d0322dfd799
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a9ffc2bbca6873f0c222c2bf69c408f387ae63a3 commit a9ffc2bbca6873f0c222c2bf69c408f387ae63a3 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2018-05-02 12:15:49 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2018-05-02 12:15:49 +0000 mail-client/roundcube: Cleanup <1.3.6 Cleanup insecure versions. Bug: https://bugs.gentoo.org/653044 Package-Manager: Portage-2.3.24, Repoman-2.3.6 mail-client/roundcube/Manifest | 3 - mail-client/roundcube/roundcube-1.2.7.ebuild | 74 ------------------ mail-client/roundcube/roundcube-1.3.3-r1.ebuild | 76 ------------------- mail-client/roundcube/roundcube-1.3.4.ebuild | 99 ------------------------- 4 files changed, 252 deletions(-)