Bug 1036955 (CVE-2017-8114)

Summary: VUL-0: CVE-2017-8114: roundcubemail: RCW allows arbitrary password resets by authenticated users
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: aj, astieger, cmueller, meissner, michael, nix, wolfgang
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Mikhail Kasimov 2017-04-29 21:09:00 UTC 
Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-8114
===================================================
Description

Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

Source:  MITRE      Last Modified:  04/29/2017
===================================================

Hyperlink

[1] https://github.com/ilsani/rd/tree/master/security-advisories/web/roundcube/cve-2017-8114

[2] https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11

[3] https://security-tracker.debian.org/tracker/CVE-2017-8114

Commits:
===================================================
https://github.com/roundcube/roundcubemail/releases/tag/1.2.5
https://github.com/roundcube/roundcubemail/commit/6e054a37d13dc3772d0aa454a32d5dc3bdcc7003 (1.2.x)

https://github.com/roundcube/roundcubemail/releases/tag/1.1.9
https://github.com/roundcube/roundcubemail/commit/10b227d70a03e33682aaaa0138e84f9256f3cd50 (1.1.x)

https://github.com/roundcube/roundcubemail/releases/tag/1.0.11
https://github.com/roundcube/roundcubemail/commit/271426429bfbb5b63e6dec91b1e4780e8ef1c67e (1.0.x)
===================================================

(open-)SUSE: https://software.opensuse.org/package/roundcubemail

1.2.4 (TW, official repo)
1.1.8 (42.{1,2}, official repo)
Comment 2 Andreas Stieger 2017-05-08 09:45:27 UTC 
server:php:applications/roundcubemail was bumped to 1.2.5
https://build.opensuse.org/request/show/493323

Can you submit a maintenance update please?
openSUSE:Leap:42.1:Update/roundcubemail 1.1.8 -> 1.1.9
openSUSE:Leap:42.2:Update/roundcubemail 1.1.8 -> 1.1.9
Comment 3 Andreas Stieger 2017-05-08 18:12:04 UTC 
submitted
Comment 4 Bernhard Wiedemann 2017-05-08 20:01:14 UTC 
This is an autogenerated message for OBS integration:
This bug (1036955) was mentioned in
https://build.opensuse.org/request/show/493577 42.1+42.2 / roundcubemail
Comment 5 Bernhard Wiedemann 2017-05-09 08:01:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1036955) was mentioned in
https://build.opensuse.org/request/show/493638 42.1+42.2 / roundcubemail
Comment 6 Andreas Stieger 2017-05-15 13:09:58 UTC 
release
Comment 7 Swamp Workflow Management 2017-05-15 16:14:18 UTC 
openSUSE-SU-2017:1263-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1036955
CVE References: CVE-2017-8114
Sources used:
openSUSE Leap 42.2 (src):    roundcubemail-1.1.9-17.6.1
openSUSE Leap 42.1 (src):    roundcubemail-1.1.9-21.1