227476 – mail/roundcube: Update to 1.3.6 (a security update for CVE-2018-9846

Bug 227476 - mail/roundcube: Update to 1.3.6 (a security update for CVE-2018-9846

Summary: mail/roundcube: Update to 1.3.6 (a security update for CVE-2018-9846

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Alex Dupre

URL:	https://roundcube.net/news/2018/04/11...
Keywords:	patch-ready, security

Depends on:
Blocks:

Reported:	2018-04-12 16:51 UTC by Mahdi Mokhtari
Modified:	2018-04-14 21:56 UTC (History)
CC List:	4 users (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (ale) mmokhi: maintainer-feedback? (ale)

Attachments
patch-updates-port (905 bytes, patch) 2018-04-12 16:51 UTC, Mahdi Mokhtari	mmokhi: maintainer-approval? (ale)	Details \| Diff
patch-updates-vuxml.diff (1.37 KB, patch) 2018-04-12 16:53 UTC, Mahdi Mokhtari	riggs: maintainer-approval+	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mahdi Mokhtari freebsd_committer

2018-04-12 16:51:56 UTC

Created attachment 192464 [details]
patch-updates-port

Roundcube had an important update in upstream.
including fixes for a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin (CVE-2018-9846)
Also back-porting some minor fixes from the master branch which improve PHP 7.2 compatibility as well as PGP signing and key handling for enigma-plugin.

The attached patch updates the port and also the other patch updates the vuxml entry.

Comment 1 Mahdi Mokhtari freebsd_committer

2018-04-12 16:53:13 UTC

Created attachment 192465 [details]
patch-updates-vuxml.diff

Comment 2 commit-hook freebsd_committer

2018-04-13 07:19:48 UTC

A commit references this bug:

Author: ale
Date: Fri Apr 13 07:19:32 UTC 2018
New revision: 467213
URL: https://svnweb.freebsd.org/changeset/ports/467213

Log:
  Update to 1.3.6 release.

  PR:		227476
  Submitted by:	mmokhi

Changes:
  head/mail/roundcube/Makefile
  head/mail/roundcube/distinfo

Comment 3 Thomas Zander freebsd_committer

2018-04-14 06:45:47 UTC

Comment on attachment 192465 [details]
patch-updates-vuxml.diff

This patch has already been committed.
@mmokhi you don't need explicit approval for vuxml updates. Please feel free to  commit on your own to after making sure vuln.xml passes the validation checks.

Comment 4 Mahdi Mokhtari freebsd_committer

2018-04-14 21:56:23 UTC

(In reply to Thomas Zander from comment #3)
riggs@ Thanks for the point :) I now learned new things as well.