Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 824918 (CVE-2021-44025, CVE-2021-44026) - <mail-client/roundcube-1.5.0: multiple vulnerabilities
Summary: <mail-client/roundcube-1.5.0: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2021-44025, CVE-2021-44026
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/roundcube/roundcub...
Whiteboard: B3 [glsa?]
Keywords:
: 829408 (view as bug list)
Depends on: 830889
Blocks: CVE-2019-15237
  Show dependency tree
 
Reported: 2021-11-19 12:54 UTC by John Helmert III
Modified: 2023-10-27 06:14 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-19 12:54:00 UTC
CVE-2021-44026 (https://bugs.debian.org/1000156):

Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.

Please bump.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-19 12:55:01 UTC
Another,

CVE-2021-44025:

Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an
attachment's filename extension when displaying a MIME type warning message.
Comment 2 Philippe Chaintreuil 2021-11-19 13:59:06 UTC
Might just be easiest to drop the 1.4.11 ebuild and stabilize 1.5.0.

(That said, historically, Roundcube ebuild bumps are just a straight copy with a new name, so it's not like they're difficult.)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-20 17:13:10 UTC
(In reply to Philippe Chaintreuil from comment #2)
> Might just be easiest to drop the 1.4.11 ebuild and stabilize 1.5.0.
> 
> (That said, historically, Roundcube ebuild bumps are just a straight copy
> with a new name, so it's not like they're difficult.)

Is 1.5.0 unaffected?
Comment 4 Philippe Chaintreuil 2021-11-20 17:56:52 UTC
(In reply to John Helmert III from comment #3)
> Is 1.5.0 unaffected?

https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-released says the fixes were already in 1.5.0.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-20 18:01:07 UTC
(In reply to Philippe Chaintreuil from comment #4)
> (In reply to John Helmert III from comment #3)
> > Is 1.5.0 unaffected?
> 
> https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-
> released says the fixes were already in 1.5.0.

Thanks, please stabilize when ready then.
Comment 6 Mike Gilbert gentoo-dev 2021-12-17 22:30:24 UTC
*** Bug 829408 has been marked as a duplicate of this bug. ***
Comment 7 Philippe Chaintreuil 2023-10-27 00:46:00 UTC
Security: can this be closed?  There aren't any matching ebuilds in the tree anymore.
Comment 8 Hans de Graaff gentoo-dev Security 2023-10-27 06:14:00 UTC
This still needs a decision on a security advisory, and yes, we are behind with those.