Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 824918 (CVE-2021-44025, CVE-2021-44026) - <mail-client/roundcube-1.5.0: multiple vulnerabilities
Summary: <mail-client/roundcube-1.5.0: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2021-44025, CVE-2021-44026
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/roundcube/roundcub...
Whiteboard: B3 [glsa?]
Keywords:
: 829408 (view as bug list)
Depends on: 830889
Blocks: CVE-2019-15237
  Show dependency tree
 
Reported: 2021-11-19 12:54 UTC by John Helmert III
Modified: 2023-10-27 06:14 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-19 12:54:00 UTC 
CVE-2021-44026 (https://bugs.debian.org/1000156):

Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.

Please bump.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-19 12:55:01 UTC 
Another,

CVE-2021-44025:

Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an
attachment's filename extension when displaying a MIME type warning message.
Comment 2 Philippe Chaintreuil 2021-11-19 13:59:06 UTC 
Might just be easiest to drop the 1.4.11 ebuild and stabilize 1.5.0.

(That said, historically, Roundcube ebuild bumps are just a straight copy with a new name, so it's not like they're difficult.)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-20 17:13:10 UTC 
(In reply to Philippe Chaintreuil from comment #2)
> Might just be easiest to drop the 1.4.11 ebuild and stabilize 1.5.0.
> 
> (That said, historically, Roundcube ebuild bumps are just a straight copy
> with a new name, so it's not like they're difficult.)

Is 1.5.0 unaffected?
Comment 4 Philippe Chaintreuil 2021-11-20 17:56:52 UTC 
(In reply to John Helmert III from comment #3)
> Is 1.5.0 unaffected?

https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-released says the fixes were already in 1.5.0.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-20 18:01:07 UTC 
(In reply to Philippe Chaintreuil from comment #4)
> (In reply to John Helmert III from comment #3)
> > Is 1.5.0 unaffected?
> 
> https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-
> released says the fixes were already in 1.5.0.

Thanks, please stabilize when ready then.
Comment 6 Mike Gilbert gentoo-dev 2021-12-17 22:30:24 UTC 
*** Bug 829408 has been marked as a duplicate of this bug. ***
Comment 7 Philippe Chaintreuil 2023-10-27 00:46:00 UTC 
Security: can this be closed?  There aren't any matching ebuilds in the tree anymore.
Comment 8 Hans de Graaff gentoo-dev Security 2023-10-27 06:14:00 UTC 
This still needs a decision on a security advisory, and yes, we are behind with those.