Bugzilla – Bug 847179
VUL-0: CVE-2013-6172 : roundcubemail: vulnerability in handling _session argument of utils/save-prefs
Last modified: 2015-02-19 00:04:46 UTC
it was found a vulnerability, which could allow an attacker to overwrite configuration settings using user preferences, that can result in random file access, manipulated SQL queries or even remote code execution (0.8.6 and older).
bugbot adjusting priority
looks good, accepted into openszuse queue, thanks! (not on SLE, so closing)
We now require an additional package "php-pear-Net_IDNA2" that is included in openSUSE:Factory but not in openSUSE:12.3 resp. openSUSE:13.1.
How can this be included?
I have used the factory version of php5-pear-Net-IDNA2 for 12.3 and 13.1 updates.
i get an error on installing roundcubemail:
sed: can't read /etc/roundcubemail/main.inc.php: No such file or directory
and the DES key is not replaced.
this file is generated only later in the %post script. (it will probably work better on the next upgrade, but it also should work on initial installation).
openSUSE-SU-2014:0365-1: An update that fixes one vulnerability is now available.
Category: security (moderate)
Bug References: 847179
CVE References: CVE-2013-6172
openSUSE 13.1 (src): php5-pear-Net_IDNA2-0.1.1-2.1, roundcubemail-0.9.5-2.5.1
openSUSE 12.3 (src): php5-pear-Net_IDNA2-0.1.1-2.1, roundcubemail-0.9.5-1.13.1