Bug 1036955 – VUL-0: CVE-2017-8114: roundcubemail: RCW allows arbitrary password resets by authenticated users

Bug 1036955 - (CVE-2017-8114) VUL-0: CVE-2017-8114: roundcubemail: RCW allows arbitrary password resets by authenticated users

(CVE-2017-8114)
Summary:	VUL-0: CVE-2017-8114: roundcubemail: RCW allows arbitrary password resets by ...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	unspecified
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-04-29 21:09 UTC by Mikhail Kasimov
Modified:	2017-05-15 16:14 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mikhail Kasimov 2017-04-29 21:09:00 UTC

Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-8114
===================================================
Description

Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

Source:  MITRE      Last Modified:  04/29/2017
===================================================

Hyperlink

[1] https://github.com/ilsani/rd/tree/master/security-advisories/web/roundcube/cve-2017-8114

[2] https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11

[3] https://security-tracker.debian.org/tracker/CVE-2017-8114

Commits:
===================================================
https://github.com/roundcube/roundcubemail/releases/tag/1.2.5
https://github.com/roundcube/roundcubemail/commit/6e054a37d13dc3772d0aa454a32d5dc3bdcc7003 (1.2.x)

https://github.com/roundcube/roundcubemail/releases/tag/1.1.9
https://github.com/roundcube/roundcubemail/commit/10b227d70a03e33682aaaa0138e84f9256f3cd50 (1.1.x)

https://github.com/roundcube/roundcubemail/releases/tag/1.0.11
https://github.com/roundcube/roundcubemail/commit/271426429bfbb5b63e6dec91b1e4780e8ef1c67e (1.0.x)
===================================================

(open-)SUSE: https://software.opensuse.org/package/roundcubemail

1.2.4 (TW, official repo)
1.1.8 (42.{1,2}, official repo)

Comment 2 Andreas Stieger 2017-05-08 09:45:27 UTC

server:php:applications/roundcubemail was bumped to 1.2.5
https://build.opensuse.org/request/show/493323

Can you submit a maintenance update please?
openSUSE:Leap:42.1:Update/roundcubemail 1.1.8 -> 1.1.9
openSUSE:Leap:42.2:Update/roundcubemail 1.1.8 -> 1.1.9

Comment 3 Andreas Stieger 2017-05-08 18:12:04 UTC

submitted

Comment 4 Bernhard Wiedemann 2017-05-08 20:01:14 UTC

This is an autogenerated message for OBS integration:
This bug (1036955) was mentioned in
https://build.opensuse.org/request/show/493577 42.1+42.2 / roundcubemail

Comment 5 Bernhard Wiedemann 2017-05-09 08:01:07 UTC

This is an autogenerated message for OBS integration:
This bug (1036955) was mentioned in
https://build.opensuse.org/request/show/493638 42.1+42.2 / roundcubemail

Comment 6 Andreas Stieger 2017-05-15 13:09:58 UTC

release

Comment 7 Swamp Workflow Management 2017-05-15 16:14:18 UTC

openSUSE-SU-2017:1263-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1036955
CVE References: CVE-2017-8114
Sources used:
openSUSE Leap 42.2 (src):    roundcubemail-1.1.9-17.6.1
openSUSE Leap 42.1 (src):    roundcubemail-1.1.9-21.1