223557 – security/vuxml: Document vulnerability in roundcube (CVE-2017-16651)

Bug 223557 - security/vuxml: Document vulnerability in roundcube (CVE-2017-16651)

Summary: security/vuxml: Document vulnerability in roundcube (CVE-2017-16651)

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Danilo G. Baio

URL:	https://github.com/roundcube/roundcub...
Keywords:	patch, security

Depends on:
Blocks:	223547
	Show dependency tree / graph

Reported:	2017-11-09 11:16 UTC by VK
Modified:	2017-11-11 17:30 UTC (History)
CC List:	2 users (show)

See Also:	223547

Attachments
Document CVE-2017-16651 (1.57 KB, patch) 2017-11-09 11:16 UTC, VK	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description VK 2017-11-09 11:16:04 UTC

Created attachment 187878 [details]
Document CVE-2017-16651

Roundcube before 1.3.3 contains a file disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default. More details will be published under CVE-2017-16651.

Attached is a patch that documents this.

The port has been updated (See bug #223547).

Comment 1 commit-hook freebsd_committer

2017-11-11 17:30:05 UTC

A commit references this bug:

Author: dbaio
Date: Sat Nov 11 17:29:26 UTC 2017
New revision: 453982
URL: https://svnweb.freebsd.org/changeset/ports/453982

Log:
  security/vuxml: Document vulnerability in in mail/roundcube

  PR:		223557
  Submitted by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
  Security:	CVE-2017-16651

Changes:
  head/security/vuxml/vuln.xml

Comment 2 Danilo G. Baio freebsd_committer

2017-11-11 17:30:59 UTC

Committed with slight changes, thanks!