Bugzilla – Bug 952006
VUL-1: roundcubemail: unwanted access to file system in some configuration
Last modified: 2015-11-11 23:10:15 UTC
Tracker bug for roundcubemail.
https://build.opensuse.org/request/show/340988 This update fixes one security issue and one bug. roundcubemail was updated to disallow unwanted access on files in the file system. The apache2 configuration file for roundcubemail allowed access to the roundcubemail/bin folder and possibly /logs, /config and /temp, if these were not symlinks (this is only the case when manually changed). This update comes with a fixed configuration. If you modified the file "/etc/apache2/conf.d/roundcubemail.conf", please replace it with the configuration "roundcubemail.conf.rpmnew" and reapply your changes. After that, a restart of apache2 is requried. This update also fixes an issue that causes apache2 not to start because "mod_version.c" is not loaded.
Thanks https://roundcube.net/news/2015/09/14/updates-1.1.3-and-1.0.7-released/
*** Bug 952016 has been marked as a duplicate of this bug. ***
*** Bug 952007 has been marked as a duplicate of this bug. ***
(In reply to Aeneas Jaißle from bug 952007 comment #3) > Btw it's all packaging updates, the upstream roundcubemail source has *not* > changed. I see. I understand that this makes the bug specific to openSUSE packagng. So the issue was that if the default deployment if roundcubemail was changed in such a way that roundcubemail/bin (/logs,/config,/temp} were no longer symlinks, the configuration would allow unwanted access to these paths. Can you confirm that this is the diff that fixes it? https://build.opensuse.org/package/rdiff/server:php:applications/roundcubemail?linkrev=base&rev=95
(In reply to Andreas Stieger from comment #5) > (In reply to Aeneas Jaißle from bug 952007 comment #3) > > Btw it's all packaging updates, the upstream roundcubemail source has *not* > > changed. > > I see. I understand that this makes the bug specific to openSUSE packagng. > > So the issue was that if the default deployment if roundcubemail was changed > in such a way that roundcubemail/bin (/logs,/config,/temp} were no longer > symlinks, the configuration would allow unwanted access to these paths. /srv/www/roundcubemail/bin *is* accessible, /logs,/config, /temp *may* be accessible when changed from a symlink to a folder. > Can you confirm that this is the diff that fixes it? > https://build.opensuse.org/package/rdiff/server:php:applications/ > roundcubemail?linkrev=base&rev=95 Yes, this is the fix.
Oh, I just noticed that we still had 1.0.6 in the repos, so this is indeed an update to 1.0.7!
Resubmit with new patchinfo. This is an update from 1.0.6 to 1.0.7, fixing an XSS issue (comment #2) as well as fixing the apache2 configuration (comment #5).
https://build.opensuse.org/request/show/341110
Thanks (In reply to Aeneas Jaißle from comment #8) > Resubmit with new patchinfo. Not required for submissions, but we'll make sure to add the additional language.
i thinmk you also fixed this in the leap submission, I have added the bug there too.
openSUSE-SU-2015:1904-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 938840,952006 CVE References: Sources used: openSUSE 13.2 (src): roundcubemail-1.0.7-14.1 openSUSE 13.1 (src): roundcubemail-1.0.7-2.24.1
openSUSE-SU-2015:1945-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 938840,952006 CVE References: Sources used: openSUSE Leap 42.1 (src): roundcubemail-1.1.3-3.1
Updates shipped